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ETAPS Foreword 


Welcome to the 25th ETAPS! ETAPS 2022 took place in Munich, the beautiful capital 
of Bavaria, in Germany. 

ETAPS 2022 is the 25th instance of the European Joint Conferences on Theory and 
Practice of Software. ETAPS is an annual federated conference established in 1998, 
and consists of four conferences: ESOP, FASE, FoSSaCS, and TACAS. Each 
conference has its own Program Committee (PC) and its own Steering Committee 
(SC). The conferences cover various aspects of software systems, ranging from theo- 
retical computer science to foundations of programming languages, analysis tools, and 
formal approaches to software engineering. Organizing these conferences in a coherent, 
highly synchronized conference program enables researchers to participate in an 
exciting event, having the possibility to meet many colleagues working in different 
directions in the field, and to easily attend talks of different conferences. On the 
weekend before the main conference, numerous satellite workshops took place that 
attract many researchers from all over the globe. 

ETAPS 2022 received 362 submissions in total, 111 of which were accepted, 
yielding an overall acceptance rate of 30.7%. I thank all the authors for their interest in 
ETAPS, all the reviewers for their reviewing efforts, the PC members for their con- 
tributions, and in particular the PC (co-)chairs for their hard work in running this entire 
intensive process. Last but not least, my congratulations to all authors of the accepted 
papers! 

ETAPS 2022 featured the unifying invited speakers Alexandra Silva (University 
College London, UK, and Cornell University, USA) and Tomas Vojnar (Brno 
University of Technology, Czech Republic) and the conference-specific invited 
speakers Nathalie Bertrand (Inria Rennes, France) for FoSSaCS and Lenore Zuck 
(University of Illinois at Chicago, USA) for TACAS. Invited tutorials were provided by 
Stacey Jeffery (CWI and QuSoft, The Netherlands) on quantum computing and 
Nicholas Lane (University of Cambridge and Samsung AI Lab, UK) on federated 
learning. 

As this event was the 25th edition of ETAPS, part of the program was a special 
celebration where we looked back on the achievements of ETAPS and its constituting 
conferences in the past, but we also looked into the future, and discussed the challenges 
ahead for research in software science. This edition also reinstated the ETAPS men- 
toring workshop for PhD students. 

ETAPS 2022 took place in Munich, Germany, and was organized jointly by the 
Technical University of Munich (TUM) and the LMU Munich. The former was 
founded in 1868, and the latter in 1472 as the 6th oldest German university still running 
today. Together, they have 100,000 enrolled students, regularly rank among the top 
100 universities worldwide (with TUM’s computer-science department ranked #1 in 
the European Union), and their researchers and alumni include 60 Nobel laureates. The 
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local organization team consisted of Jan Křetínský (general chair), Dirk Beyer (general, 
financial, and workshop chair), Julia Eisentraut (organization chair), and Alexandros 
Evangelidis (local proceedings chair). 

ETAPS 2022 was further supported by the following associations and societies: 
ETAPS e.V., EATCS (European Association for Theoretical Computer Science), 
EAPLS (European Association for Programming Languages and Systems), and EASST 
(European Association of Software Science and Technology). 

The ETAPS Steering Committee consists of an Executive Board, and representa- 
tives of the individual ETAPS conferences, as well as representatives of EATCS, 
EAPLS, and EASST. The Executive Board consists of Holger Hermanns 
(Saarbrücken), Marieke Huisman (Twente, chair), Jan Kofron (Prague), Barbara König 
(Duisburg), Thomas Noll (Aachen), Caterina Urban (Paris), Tarmo Uustalu (Reykjavik 
and Tallinn), and Lenore Zuck (Chicago). 

Other members of the Steering Committee are Patricia Bouyer (Paris), Einar Broch 
Johnsen (Oslo), Dana Fisman (Be’er Sheva), Reiko Heckel (Leicester), Joost-Pieter 
Katoen (Aachen and Twente), Fabrice Kordon (Paris), Jan Křetínský (Munich), Orna 
Kupferman (Jerusalem), Leen Lambers (Cottbus), Tiziana Margaria (Limerick), 
Andrew M. Pitts (Cambridge), Elizabeth Polgreen (Edinburgh), Grigore Rosu (Illinois), 
Peter Ryan (Luxembourg), Sriram Sankaranarayanan (Boulder), Don Sannella 
(Edinburgh), Lutz Schröder (Erlangen), Ilya Sergey (Singapore), Natasha Sharygina 
(Lugano), Pawel Sobocinski (Tallinn), Peter Thiemann (Freiburg), Sebastian Uchitel 
(London and Buenos Aires), Jan Vitek (Prague), Andrzej Wasowski (Copenhagen), 
Thomas Wies (New York), Anton Wijs (Eindhoven), and Manuel Wimmer (Linz). 

Pd like to take this opportunity to thank all authors, attendees, organizers of the 
satellite workshops, and Springer-Verlag GmbH for their support. I hope you all 
enjoyed ETAPS 2022. 

Finally, a big thanks to Jan, Julia, Dirk, and their local organization team for all their 
enormous efforts to make ETAPS a fantastic event. 


February 2022 Marieke Huisman 
ETAPS SC Chair 
ETAPS e.V. President 


Preface 


This volume contains the papers presented at the 25th International Conference on 
Foundations of Software Science and Computation Structures (FoSSaCS 2022), which 
was held during April 4—6, 2022, in Munich, Germany. The conference is dedicated to 
foundational research with a clear significance for software science and brings together 
research on theories and methods to support the analysis, integration, synthesis, 
transformation, and verification of programs and software systems. 

In addition to an invited talk by Nathalie Bertrand (Université de Rennes, Inria, 
CNRS, and IRISA, France) on “Parameterized verification to the rescue of distributed 
algorithms”, the program consisted of 23 contributed papers, selected from among 77 
submissions. Each submission was assessed by three or more Program Committee 
members. The conference management system EasyChair was used to handle the 
submissions, to conduct the electronic Program Committee discussions, and to assist 
with the assembly of the proceedings. 

We wish to thank all the authors who submitted papers for consideration, the 
members of the Program Committee for their conscientious work, and all additional 
reviewers who assisted the Program Committee in the evaluation process. Finally, we 
would like to thank the ETAPS organization for providing an excellent environment for 
FoSSaCS, other conferences, and workshops. 
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Parameterized Verification to the Rescue 
of Distributed Algorithms 
(Abstract of Invited Talk) 


Nathalie Bertrand ® 


Univ Rennes, Inria, CNRS, IRISA, France 
nathalie.bertrand@inria.fr 


Abstract. Distributed computing is everywhere in our daily lives and in 
advanced technological applications. Bugs in distributed algorithms can have 
huge consequences, so that already in 2006, Lamport advised: “Model-checking 
algorithms prior to submitting them for publication should become the norm” 
[4]. Formal verification techniques indeed avoid tedious and error-prone manual 
correctness proofs. 

Developing formal verification techniques for distributed algorithms is a real 
challenge, since correctness should typically hold independently of the number 
of participants. The latter often can be considered, or are by design, anonymous, 
forming a crowd of identical copies. Since the seminal work of German and 
Sistla establishing the decidability of parameterized verification for crowds of 
finite-state machines interacting via rendez-vous [3], the model checking com- 
munity has been focusing on specific classes of distributed algorithms, and has 
proposed appropriate crowds models with a decidable parameterized verification 
problem [1, 2]. 

In this talk, we will report on recent contributions to the parameterized 
verification of distributed algorithms. 


Keywords: Model checking - Parameterized verification - Distributed 
algorithms 


References 


1. Bloem, R., et al.: Decidability of Parameterized Verification. Synthesis Lectures on Dis- 
tributed Computing Theory. Morgan & Claypool Publishers (2015). https://doi.org/10.2200/ 
S00658ED1V01Y201508DCT013 

2. Esparza, J.: Keeping a crowd safe: on the complexity of parameterized verification (invited 
talk). In: Proceedings of the 31st International Symposium on Theoretical Aspects of Com- 
puter Science (STACS’14). LIPIcs, vol. 25, pp. 1-10. Schloss Dagstuhl - Leibniz-Zentrum 
fuer Informatik (2014). https://doi.org/10.4230/LIPIcs.STACS.2014.1 

3. German, S.M., Sistla, A.P.: Reasoning about systems with many processes. J. ACM 39(3), 
675-735 (1992). https://doi.org/10.1145/146637.14668 1 

4. Lamport, L.: Checking a multithreaded algorithm with *CAL. In: Dolev, S. (ed.) Distributed 
Computing. DISC 2006. Lecture Notes in Computer Science, vol. 4167, pp. 151-163. 
Springer, Berlin (2006). https://doi.org/10.1007/11864219_11 


Contents 


Representing Regular Languages of Infinite Words Using Mod 2 
Mukiplicity AWMOMata ois 64.56 epee bh ae ee PEE EGREERE ESTO ERE HES 1 
Dana Angluin, Timos Antonopoulos, Dana Fisman, and Nevin George 


Limits and difficulties in the design of under-approximation 
ApStaCl DOMAINE s oo Yoke be Aa ee Oak Sue COUR RRERSY HHS e TR YS EEE 21 
Flavio Ascari, Roberto Bruni, and Roberta Gori 


On probability-raising causality in Markov decision processes ........... 40 
Christel Baier, Florian Funke, Jakob Piribauer, and Robin Ziemek 


Parameterized Analysis of Reconfigurable Broadcast Networks........... 61 
A. R. Balasubramanian, Lucie Guillou, and Chana Weil-Kennedy 


Separators in Continuous Petri Nels... 2.0.0.4. ese eee eeeewccenwwes 81 
Michael Blondin and Javier Esparza 


Graphical Piecewise-Linedr Algebra 25. ib bb tke died eeeusarneeeaas 101 
Guillaume Boisseau and Robin Piedeleu 


Token Games and History-Deterministic Quantitative Automata.......... 120 
Udi Boker and Karoliina Lehtinen 


On the Translation of Automata to Linear Temporal Logic.............. 140 
Udi Boker, Karoliina Lehtinen, and Salomon Sickert 


Categorical composable cryptography occ. 0 ccs deeee eons ereee yeas 161 
Anne Broadbent and Martti Karvonen 


DyNetKAT: An Algebra of Dynamic Networks ..................... 184 
Georgiana Caltais, Hossein Hojjat, Mohammad Reza Mousavi, 
and Hünkar Can Tung 


A new criterion for M,N -adhesivity, with an application 
tö hierarchical SMAPS. sce hee Sedd weed owes DOR RE SER ESTO EEEE OOD 205 
Davide Castelnovo, Fabio Gadducci, and Marino Miculan 


Quantifier elimination for counting extensions of Presburger arithmetic .... . 225 
Dmitry Chistikov, Christoph Haase, and Alessio Mansutti 


A first-order logic characterisation of safety and co-safety languages. ...... 244 
Alessandro Cimatti, Luca Geatti, Nicola Gigante, Angelo Montanari, 
and Stefano Tonetta 


xvi Contents 


First-order separation over countable ordinals ....... sasaaa aaaea 
Thomas Colcombet, Sam van Gool, and Rémi Morvan 


A Faithful and Quantitative Notion of Distant Reduction for Generalized 
Appease 6 Fae Ade eae COR ARES ORES eeaeee RESALE OE LAE eRe EE EO 
José Espirito Santo, Delia Kesner, and Loic Peyrot 


Modal Logics and Local Quantifiers: A Zoo in the Elementary Hierarchy ... 
Raul Fervari and Alessio Mansutti 


Temporal Stream Logic modulo Theories.......................0-0-4 
Bernd Finkbeiner, Philippe Heim, and Noemi Passing 


The Different Shades of Infinite Session Typesec. +4 054440ee0eeoe en 
Simon J. Gay, Diogo Pogas, and Vasco T. Vasconcelos 


Complete and tractable machine-independent characterizations 

Of second-order POlyUMe «ova se beh oR HORE irre wn COPS RE RSS 
Emmanuel Hainry, Bruce M. Kapron, Jean-Yves Marion, 
and Romain Péchoux 


Variable binding and substitution for (nameless) dummies.............. 
André Hirschowitz, Tom Hirschowitz, Ambroise Lafont, 
and Marco Maggesi 


Uniform Guarded Fragments ccs. 2h5es rreri tokidoki a i Eee ODES 
Reijo Jaakkola 


sweedler Theory of Monads. scce esc sees eee RE iteco ee eee SRR OHS 
Dylan McDermott, Exequiel Rivas, and Tarmo Uustalu 


Model Checking Temporal Properties of Recursive Probabilistic Programs. . . 
Tobias Winkler, Christina Gehnen, and Joost-Pieter Katoen 


Ambhar INGE 24b. ne ce edd eee hee RR ee RSA ADS oe Ed OOO ER 


Representing Regular Languages of Infinite 
Words Using Mod 2 Multiplicity Automata 


Dana Angluin!, Timos Antonopoulos!(®), Dana Fisman?, and Nevin George! 


1 Yale University, New Haven, CT, USA 
timos.antonopoulos@yale.edu 
2 Ben-Gurion University, Beer-Sheva, Israel 


Abstract. We explore the suitability of mod 2 multiplicity automata 
(M2MAs) as a representation for regular languages of infinite words. 
M2MaAs are a deterministic representation that is known to be learnable 
in polynomial time with membership and equivalence queries, in contrast 
to many other representations. Another advantage of M2MAs compared 
to non-deterministic automata is that their equivalence can be decided in 
polynomial time and complementation incurs only an additive constant 
size increase. Because learning time is parameterized by the size of the 
representation, particular attention is focused on the relative succinct- 
ness of alternate representations, in particular, LTL formulas and Biichi 
automata of the types: deterministic, non-deterministic and strongly un- 
ambiguous. We supplement the theoretical results of worst case upper 
and lower bounds with experimental results computed for randomly gen- 
erated automata and specific families of LTL formulas. 


Keywords: Multiplicity Automata - Regular Omega Languages - Biichi 
Automata - Linear Temporal Logic - Conciseness 


1 Introduction 


Regular languages of infinite words (or w-words) play an important role in ver- 
ification of reactive systems. The question of whether a system S satisfies a 
specification given by a temporal logic formula vy can be reduced to the question 
of whether L(S) N L(-y) is empty, where L(S) is the set of w-words represent- 
ing the computation paths of the system S and L(-y) is the set of w-words 
representing computations that violate y. Automata are a useful machinery for 
performing operations on languages such as complementation and intersection, 
and for deciding properties such as emptiness and equivalence. Many verification 
tools are implemented using reductions to automata [20]. 

Regular w-languages can be represented using various types of automata (e.g. 
Büchi, Rabin, Parity, etc.). Different automata types differ in their succinctness 
and in the complexity of performing operations of interest. Non-deterministic 
Biichi automata (NBAs) are one of the most popular acceptor types for regular 
w-languages, mainly due to their simplicity, succinctness, and good complexity 


© The Author(s) 2022 
P. Bouyer and L. Schröder (Eds.): FoSSaCS 2022, LNCS 13242, pp. 1-20, 2022. 
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for the emptiness problem. An issue with Biichi automata is that their deter- 
ministic version (DBAs) is strictly less expressive: while NBAs accept all regular 
w-languages, DBAs recognize only a strict subset thereof. Another issue is that 
complementation of NBAs is hard; it has a 2°("!°™ lower bound (where n is the 
number of states) [16]. This motivated the introduction of complete unambiguous 
Biichi automata (CUBA) by Carton and Michel who showed that every regular 
w-language can be represented by a CUBA, i.e. there is a way to limit the non- 
determinism without losing expressiveness [8]. Bousquet and Léding proposed 
strongly unambiguous Btichi automata (SUBA), a slight relaxation of CUBA for 
which they have shown that equivalence can be decided in polynomial time [6]. 


The SUBA model was also shown useful in terms of learnability of regular 
w-languages — Angluin, Antonopoulos and Fisman have shown that SUBAs are 
polynomially predictable using membership queries (while NBAs, under plausi- 
ble cryptographic assumptions, are not) [1]. Their proof makes use of a model of 
automata called Mod 2 Multiplicity Automata (M2MA). Informally, multiplicity 
automata are an algebraic variant of automata that compute functions from fi- 
nite words to a field K [4,5], and M2MAs are multiplicity automata that work 
over the field GF(2) = {0,1} where sum and product are computed modulo 2. 


In this paper we look at questions concerning the adequacy of M2MAs for 
representing regular w-languages. We note that M2MAs operate on finite words, 
and their use for representing regular w-languages follows a reduction, by Cal- 
brix, Nivat and Podelski from a regular w-language L to a regular language 
(L)g of finite words [7]. We thus start by reviewing the succinctness of M2MAs 
with respect to automata on finite words, particularly of types non-deterministic 
(NFAs), deterministic (DFAs), and unambiguous (UFAs). We show that M2MAs 
are more succinct than DFAs and UFAs, whereas with respect to NFAs there 
are in the worst case exponential gaps in going from M2MAs to NFAs and vice 
versa. 


We also study the complexity of performing basic operations on M2MAs; 
complementation can be done with an additive constant increase in size, and 
union and intersection with the product of sizes. There is a known cubic algo- 
rithm to minimize a weighted automaton [10,19], which applies to an M2MA 
and also implies cubic procedures for determining emptiness and equivalence. 


We then investigate the succinctness of M2MAs in representing regular w- 
languages, by comparing translations from linear temporal logic (LTL) formulas 
and Biichi automata (deterministic, non-deterministic and strongly unambigu- 
ous) into M2MAs, DFAs, UFAs, SUBAs and NBAs (where the former three use 
the (L)ş representation). The results are summarized in Fig. 3. 


To complement the theoretical bounds, we implemented procedures to trans- 
form SUBAs to UFAs and UFAs to M2MAs, and to minimize and learn M2MAs, 
and report estimates of the average size increases in transforming random SUBAs, 
DBAs, and NBAs to M2MAs. We also determine the minimum dimensions of 
M2MAs and minimum sizes of DFAs for a few members of three specific families 
of LTL formulas and compare them with the respective w-automaton sizes. 
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2 Preliminaries 


For nonnegative integers k and £, [k..¢] is the set of nonnegative integers n such 
that k < n < £. Given a finite alphabet X, X* is the set of finite words over X. 
The length of a word z is |x| and the empty word is e. X” = {x € X* | |x| = n}. 
The reverse of a word x is x”. A language L is any subset of X*. The reverse of 
L, denoted L”, is {x” | x € L}. The Hankel matrix of a language L is the infinite 
matrix whose rows and columns are indexed by elements of X*, where the entry 
for row x and column y is 1 if xy € L and O if zy ¢ L. 

The set of infinite words (or w-words) over X is the set of all maps from 
the positive integers to X and is denoted X“. An w-language is any subset of 
+. For a finite or infinite word w, w|i] denotes the symbol at position i, with 
indices starting at 1. Concatenation of a finite word x with a finite or infinite 
word y is denoted xy. The word x is a prefix of xy and the word y is a suffix 
of xy. The suffix of w starting at position i is denoted wļi :]. If z € X* and k 
is a nonnegative integer, z? denotes the concatenation of k copies of x, and z” 
denotes the concatenation of x with itself infinitely many times. An w-word is 
ultimately periodic if it can be written in the form u(v)” for u,v € X* with 
|u| > 0. If Ay and Ag are sets and S C A; x Ag, then we define the projection 
m™1(S) = {a1 | (Gaz)(a1, a2) E€ S} and analogously for the projection 72. 


2.1 NFAs, UFAs, DFAs, NBAs, UBAs, SUBAs, and DBAs 


A (nondeterministic) finite-state automaton A is a tuple (X, Q, I, A, F) consist- 
ing of a finite alphabet X, a finite set Q of states, a set J C Q of initial states, 
a set F C Q of final states, and a transition relation A C Q x X x Q. The 
transition relation A is deterministic if for every state q E Q and every symbol 
o € X, there is at most one state q’ E€ Q such that (g,0,q') € A. The size of a 
finite-state automaton is |Q]. 

For a word w, a run of A on w is a sequence of states go,qi,... such that 
for each i that indexes a symbol in w, (q_—1, wli], qi) E€ A. Thus, for w € X* 
a run on w is a sequence of length |w| + 1, and for w € ©”, a run on w is an 
infinite sequence of states. A run on w is initial if qq € I. A finite run is final 
if dw) E€ F, and an infinite run is final if there are infinitely many values of i 
for which q; € F. Acceptors of languages and w-languages may be defined using 
finite-state automata, as follows. In each case, the language of words accepted 
by an acceptor A is denoted L(A). 

A nondeterministic finite acceptor (NFA) is a finite-state automaton A that 
accepts a word w € X* if there exists a run of A on w that is both initial 
and final. An NFA A is an unambiguous finite acceptor (UFA) if for every word 
w E€ L(A) there is exactly one run of A on w that is initial and final. An NFA 
A is a deterministic finite acceptor (DFA) if there is exactly one initial state 
(|Z| = 1) and the transition relation A is deterministic. The languages over X 
that are accepted by NFAs, UFAs, or DFAs is precisely the regular languages 
over X. 

A nondeterministic Büchi acceptor (NBA) is a finite-state automaton A that 
accepts a word w € X if there exists a run of A on w that is both initial and 
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final. An NBA is an unambiguous Btichi acceptor (UBA) if for every w € L(A), 
there exists exactly one run of A on w that is initial and final. Bousquet and 
Léding [6] introduced the concept of a strongly unambiguous Btichi acceptor 
(SUBA), which is an NBA such that for every w € ©”, there is at most one final 
run of the acceptor on w — note that the condition of being initial is dropped. 
Thus, every SUBA is a UBA. The w-languages over X that are accepted by 
NBAs, UBAs, or SUBAs are precisely the regular w-languages. An NBA is a 
deterministic Büchi acceptor (DBA) if there is exactly one initial state (|Z| = 1) 
and the transition relation A is deterministic. Every DBA is a UBA, but is not 
necessarily a SUBA. The w-languages that are accepted by DBAs are a proper 
subclass of the class of all regular w-languages. 

For Biichi acceptors, we also consider a generalized version, GNBA, in which 
the acceptance condition is specified not by a single set of final states, but by a 
collection F of sets of final states. For a GNBA, a run qo,q@,... is final iff for 
each F € F, there exist infinitely many indices 7 such that q; € F. Applying this 
generalization to a SUBA yields a GSUBA. There is a standard translation of a 
GNBA of size n with k sets of final states into an NBA of size kn, in which there 
are k copies of the GNBA automaton. However, applying this construction to a 
GSUBA does not in general yield a SUBA. 


2.2 LTL formulas 


The syntax of linear temporal logic (LTL) [18] over a set AP of atomic proposi- 
tions is given by the following grammar g ::= p | =ọ | yiAge | Ov] (g1U p2) 
where p € AP is an atomic proposition. 

The semantics of LTL relates w-words over 24” to formulas as shown on the 
right (recall that indexing of words starts at 1). Additional Boolean and temporal 
connectives are defined in the 


usual way. In particular T (true) “FP iff p € w[i] 
is defined as pV—p, Oy (eventually Y F `P iff wég 
p) is defined as (T U y) and Oy WF #1 A 2 iff w |= pı and w E p2 
(always p) is defined as =~$(~ọ). V = Ov iff w[2 :] = F 
The w-language of an LTL for- Y F (1U p2) if Jj. wlj :] F p2 and 


mula y, denoted L(y), is the set Vi < j. wli :] E y1 
of w-words for which it is true. The size of an LTL formula ọ is the number of dis- 
tinct subformulas it contains. Every LTL formula represents a regular w-language 
(see Section 5). However, not every regular w-language can be represented by an 
LTL formula; in particular, the regular w-languages that can be represented by 
LTL formulas are noncounting [9]. 


2.3 M2MAs 


A multiplicity automaton represents a function mapping X* to elements of a field 
K. We focus on the case where K = {0,1} and product and sum are computed 
modulo 2. A mod 2 multiplicity acceptor (M2MA) of dimension d is a tuple 
A= (X, vr, {Ho}oes, vr), where X is the input alphabet, vy € K? is the initial 
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vector, vp € K? is the final vector, and for each o € X, uo is a d x d transition 
matrix over K, that is, an element of K2*4., 

The vectors vz and vp are interpreted as dx 1 column vectors. The transpose 
operation is denoted by ', and the inner product of two column vectors v, w € K4 
is denoted v! w. 

To define L(A) we inductively define the matrix jz for all x € X*. If x =e, 
then Hx is the d x d identity matrix. If x = oy for some o € X and y € X* 
then Hx = Lofty. The function fa : X* — K computed by A is defined by 
fa(z) =v] Ucvr. A word z is accepted by A if fa(x) =1. 

We refer to column vectors v € K? as states or co-states of A. A state v is 
reachable iff there exists a word x € X* such that v = (v} uz)! . A co-state w is 
co-reachable iff there exists a word x E€ &* such that w = zur. For any state 
v, Ly(A) denotes the language of words accepted by A with its initial vector 
replaced by v. 

We assume standard results from finite dimensional vector spaces. If U is a 
vector space of dimension k over the field {0,1} then |U| = 2*. If U is a vector 
subspace of the vector space V, then the orthogonal complement of U is the set 
UŁ = {v | vlu = 0 Vu € U}, UŁ is a vector subspace of V which is disjoint 
from U except for the zero vector, and the dimensions of U and U+ sum to the 
dimension of V. 

The following simple lemmas relate M2MAs to UFAs and DFAs, and show 
that M2MAs accept exactly the regular languages. 


Lemma 1. /Beimel et al. [4]] Let L C &*. If L is accepted by a UFA of size n, 
it is also accepted by an M2MA of dimension n. 


Lemma 2. Let L C X*. If L is accepted by an M2MA of dimension d with R 
reachable states, then L is also accepted by a DFA of R states. Clearly, R < 2%. 


Beimel et al. [4] have shown that there is a polynomial time algorithm to 
learn an unknown M2MA using equivalence and membership queries. 


2.4 Size lower bounds for DFAs, M2MAs and NFAs 


Given a language L C X*, we define an observation table for L as an £ x m 
matrix T of 0’s and 1’s where each row 7 is associated with a finite word x; and 
each column j is associated with a finite word yj, and the entry T; j is 1 if and 
only if x;y; E€ L. This terminology is derived from its use in algorithms to learn 
DFAs. An observation table for L is thus a finite submatrix of its Hankel matrix. 

Certain properties of observation tables for a language L yield lower bounds 
on acceptors recognizing L. Recall that the rank of a matrix is the number of 
linearly independent rows (or columns) it contains. 


Lemma 3. Let T be an observation table for the regular language L with rows 
associated with finite words x; for i = [1..¢] and columns associated with finite 
words yj for j € [l..m]. Assume T has n distinct rows and rank d over the field 
{0,1}. Then any DFA to accept L must have at least n states, and any M2MA 
to accept L must have dimension at least d. 
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Proof. Let D be a DFA accepting L. If the rows for x; and x, are distinct, then 
there is a column j on which they differ, that is, x;y; € L iff sky; ¢ L. Thus, 
the states of D reached from the initial state on the words x; and x; must be 
different and D has at least n states. 

Let M be an M2MA accepting L. Following the argument of Beimel et al. [4], 
the observation table is a submatrix of the Hankel matrix of the language L, 
and its rank (modulo 2) is a lower bound for the rank (modulo 2) of the Hankel 
matrix, which is a lower bound for the size of any M2MA accepting L. 


For lower bounds for NFAs, we use the concept of covering the observation 
table by 1-monochromatic rectangles. If R and C are subsets of the indices of 
the rows and columns (respectively) of a matrix M, then the (R, C)-rectangle of 
M is the matrix obtained from M by deleting those rows whose indices are not 
in R and those columns whose indices are not in C. The (R,C)-rectangle of a 
matrix M is v-monochromatic iff all of its entries are equal to the value v. 

Let M be a matrix of 0 and 1 values. A 1-rectangle cover of M is a set 
{(Rs,Cs) | s € [1..t]}, of 1-monochromatic rectangles (Rs, C.) of M such that 
for every i and j, if M;,; = 1 then there exists some s € [1..t] such that i € Rs 
and j € Cs. A minimum 1-rectangle cover of M is a 1-rectangle cover of M of 
minimum possible cardinality t. 


Lemma 4. Let T be an xm observation table for the regular language L. Any 
NFA M recognizing L must have at least as many states as the cardinality of the 
minimum 1-rectangle cover of T. 


This is implied by Theorem 5.2.4.10 and Exercise 5.2.5.14 of Hromkovié [12]. 
For completeness we provide a simple direct proof. 


Proof. Let the strings indexing the rows of T be a; for i € [1..4] and the strings 
indexing the columns of T be y; for j € [1..m]. For each state q of M, let Rq be 
the set of all i € [1..4] such that x; reaches q from an initial state of M, and let 
C, be the set of all 7 € [1..m] such that y; reaches a final state of M from q. 
Clearly (R4, C4) must be a 1-monochromatic rectangle of T, because if i € Ry 
and j € Cy then x;y; is accepted by M and the entry T;,; must be 1. Also, if 
T; j = 1, then x;y; must be accepted by M, so there must exist a state q of M 
such that x; reaches q from an initial state of M and y; reaches a final state 
of M from q, that is, i € Ry and j € C4. Thus, the rectangles (R4, C4) for all 
states q of M form a 1-rectangle covering of T, and the number of states of M 
is greater than or equal to the cardinality of the minimum 1-rectangle covering 
of T. 


Corollary 1. If L is a regular language with an n x n observation table T that 
has exactly one 1 in every row and column, then any DFA, M2MA, or NFA to 
recognize L must have at least n states. 
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As an example of the use of these results, let L be the reg- 


ular language over {a, b, c} consisting of those strings that do z : S ° 
not contain any occurrences of the substrings ba or cb, with BION 
the observation table for L in Fig. 1. There are 4 different c |110 
rows, so any DFA to accept L must have at least 4 states. baļ0/0|0 


The mod 2 rank of the table is 3 (the first three rows are a Fig. 1: Observation 
row basis) so any M2MA accepting L must have dimension AiE Ta 
at least 3. The observation table with rows c and b, and columns a and b is the 
2 x 2 identity matrix, so any NFA to accept L must have at least 2 states. In 
fact, there is a DFA of 4 states, an M2MA of dimension 3, and an NFA of 2 
states accepting L, so for this example, the lower bounds are tight. 


3 M2MAs as representations of regular languages 


We consider the computational cost and size implications of some common op- 
erations and decision questions using M2MAs to represent regular languages. 


3.1 M2MAs: procedures for operations and properties 


Reverse Given an M2MA A accepting a regular language L, an M2MA A” 
accepting the reverse language L” may be obtained from A by exchanging the 
initial and final vectors, and transposing each of the transition matrices. Thus, 
the minimum dimension of an M2MA accepting L is equal to the minimum 
dimension of an M2MA accepting L”. Reversing is similarly easy for UFAs and 
NFAs, but may incur an exponential increase in size for a DFA. 


Sum If for i = 1,2, M; is a multiplicity automaton of dimension d; computing 
the function fi : X* — K, then the sum fı + fo is computed by a multiplicity 
automaton M of dimension dı + dz constructed as the direct product of Mı and 
Mp as follows. State vectors of M are the concatenation of state vectors of Mı 
and Mg, including the initial and final vectors. For each ø € X, the transition 
matrix Ho is a (dı +d2) x (dı +d2) matrix obtained by putting (111), in the upper 
left, (u2)o in the lower right, and setting the remaining entries to 0. This ensures 
that the state updates of Mı and Mə are done in parallel for each symbol, and 
the output is the sum of the outputs for Mı and M2. 


Boolean operations For M2MAs, complementation follows directly from the 
sum construction. If A is an M2MA of dimension d and C is the M2MA of dimen- 
sion 1 that outputs 1 on every string, then the sum construction with M and C 
yields an M2MA of dimension d+1 that accepts the regular language X* \ L(A). 
For DFAs, complementation is size-preserving, while for NFAs, complementation 
may incur an exponential increase in size. 

Given M2MAs A; of dimension d; for i = 1,2, the intersection language 
L(A) O L(A) is accepted by an M2MA of dimension dı - dz obtained from A; 


8 D. Angluin et al. 


and A» using the Kronecker product of matrices.? Union can then be obtained 
from complementation and intersection. 


Minimization, Equivalence, and Emptiness Sakarovitch [10,19] describes 
a cubic-time algorithm to minimize a weighted automaton with weights from a 
skew field, which has the following corollary. 


Corollary 2 (of Theorem 5.20 in [10]). Given an M2MA A of dimension d, 
an M2MA A’ of the minimum possible dimension accepting L(A) may be found 
in time O(|X|d?). 


An M2MA recognizes the empty language iff it has dimension 0 when minimized, 
and the equivalence of two M2MAs may be tested by determining if their sum 
is the empty language. 


3.2 Conciseness comparisons for regular languages 


We summarize known results comparing the conciseness of M2MAs with that of 
DFAs, UFAs and NFAs as representations of regular languages in Fig. 2. The 
entry for row A and column B is “—” if the representation A is an instance 
of the representation B, otherwise, starting with a machine of size n in the 
representation A, how large must an equivalent machine in the representation B 
be in the worst case? The entry 2° means that there is a lower bound of 2°” 
and an upper bound of 2% for positive constants c and d. 

We briefly explain the entries in the 
table. A DFA is also a UFA and an NFA, 


and a UFA is also an NFA. A DFA or UFA DFA | UFA | NFA |M2MA 
of size n can be converted to an equiv- DFA | — = = m 
alent M2MA of dimension n (Lemma 1). UFA ee |e | - m 
The subset construction to determinize an NFA — ox 20%") 
NFA of size n yields a DFA (and there- M2MA 290) 20) )20)] = 


fore also a UFA or M2MA) of size at most BS Soe Seis Saud Ren ct 
2”, An M2MA of dimension n can be con- 
verted to a DFA (or UFA or NFA) of size 
at most 2” (Lemma 2). The language B, = X*-1. X”, for X = {0,1}, consisting 
of binary strings with a 1 located n + 1 symbols before the end is accepted by 
a UFA of size n + 2 (and therefore also an NFA of size n + 2 and an M2MA of 
dimension n + 2), but requires at least 2”+! states for any DFA that accepts it. 
For the problem of converting an NFA to an M2MA, Kaznatcheev and 
Panangaden [13] consider the language Ln = ©* ((0L"~11) + (12"~10)) &* for 
X = {0,1}, and show that Ln is recognized by an NFA of 2n + 2 states, but that 
any M2MA to recognize Ln must have dimension at least 2”. By Lemma 1, this 
lower bound applies also to UFAs. 
For the problem of converting an M2MA to an NFA, Kaznatcheev and Panan- 
gaden [13] give a family of languages {Ln} such that Ln is recognized by an 


3 If A is an mxn matrix and B is a p x q matrix, then the Kronecker product AQ B is 
the pm x qn block matrix, with blocks of size B, where the block-matrix at position 
(i, j) is aj; B [17, Def 1.2.1]. 
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M2MA of dimension n + 2, and prove that any NFA to recognize L, must have 
at least 2”/? — 2 states. Here we provide a simpler proof of a stronger lower 
bound. Let L, be the language recognized by the M2MA given in Fig. 1 of 
the paper of Kaznatcheev and Panangaden. This M2MA accepts a word iff the 
number of indices i such that both w|i] and wļi + n] is 1, is odd. 


Lemma 5. Any NFA to recognize Ly, must have at least 2"~1 states. 


Proof. The language Ln has an observation table T, of dimension 2” x 2”, in 
which the rows and columns are indexed by strings x,y € {0,1}". We view 
strings in {0,1}" as vectors of length n over the field {0,1}, so that the entry 
corresponding to the pair (x,y) is the inner product of the vectors x and y, that 
is x! y. Note that the inner product x'y is 1 iff the number of indices i such 
that both vy[i] and xy[i +n] is 1, is odd. The lower bound of 2” — 1 then follows 
from Lemma 4 and the following Lemma. 


Lemma 6. The minimum 1-rectangle covering of the observation table Tn, just 
defined has cardinality 2” — 1. 


Proof. For the upper bound it suffices to consider a 1-rectangle covering of Tn 
consisting of pairs (R,C) where R is the singleton index of a nonzero row and 
C consists of the indices of the occurrences of 1 in that row. 

If x € {0,1}” is the zero vector, then x'y is 0 for all vectors y; otherwise, 
x'y = 1 for exactly half the vectors y, that is, for 2"~! columns of Ta. Hence, 
T, contains exactly 2”71(2” — 1) entries of value 1. We now show that any 1- 
monochromatic rectangle (R, C) of T, has at most 2”~! entries of 1, which shows 
that a minimum 1-rectangle covering of T, must have cardinality at least 2” — 1. 

Let (R,C) be any 1-monochromatic rectangle of Ta. Let U be the vector 
subspace spanned by the vectors x corresponding to indices in R, and let B be 
a basis for U whose indices are drawn from R. Let k = |B], so that |U| = 2". 
Every element of U is a sum of elements of B, but a sum of an even number of 
elements of B will be 0 in all the columns with indices in C, so R can contain 
the indices of at most half the elements of U, that is, |R| < 2*-?. 

Let S = {v|u'v=1 Vu € B}, the set of vectors whose inner product with 
all elements of B is 1; clearly, |C| < |S. We use inclusion/exclusion to find the 
cardinality of S, as follows. 


[S| = 2" -| LU {v | u"v = 0} 


uEB 
=% -| |J cI 
CCB 
n n—1 k n—2 kon—-k 
= 2 —Karrh + | Jar? — (12 
1 
=2*.(1=——) 
(1-5) 


Thus, |C| < 2"-*. Then |R x C| < 2*-1.2"-* = 2"—1, concluding the proof. 
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4 Representing regular omega-languages using regular 
languages 


In the preliminaries we discussed NBAs, SUBAs and DBAs, and LTL formulas as 
representations of regular w-languages. Here we explain that M2MAs and other 
automata over finite words can also be used to represent regular w-languages. 

A regular w-language is uniquely determined by the set of ultimately periodic 
w-words it contains. Let L be a regular w-language and let $ be a symbol not 
in the alphabet of L. To represent the set of ultimately periodic words in L, 
Calbrix, Nivat and Podelski [7] introduced the related language of finite words 
Lg = {u$v | u(v)” € L} and proved that it is regular. 

Thus a regular w-language L can be represented by an acceptor for the regular 
language Ls, for example, a DFA, UFA, NFA or M2MA. The representation of 
Ls by an M2MA was used by Angluin, Antonopoulos, and Fisman [1] in showing 
that regular w-languages are polynomially predictable with membership queries 
as a function of the size of the smallest SUBA accepting the language. 

We note that if for i = 1,2, A; is an M2MA of dimension d; accepting 
(L;)s for the regular w-language L;, then there is an M2MA of dimension dı - d2 
accepting (Lı N L2)g, and an M2MA of dimension dı + 3 accepting (X” \ L1)s. 
The former follows by the intersection result for M2MAs, and the latter follows 
by the sum result applied to A; and the dimension 3 M2MA that accepts the 
set {u$v | we X*,v € XH}. 


5 Conciseness comparisons for regular omega-languages 


We present known and new results comparing the conciseness of M2MAs with 
that of several other representations of regular w-languages, summarized in 
Fig. 3. The entry for row A and column B gives upper (above) and lower (below) 
bounds on the worst case increase in size for a representation of type A of size 
or dimension n to an equivalent representation of type B. The entry is “—” if a 
representation of type A is an instance of a representation of type B. The entries 
for the columns for DFA, UFA, M2MA, and NFA are for the language Lg. An 
arrow indicates that the (lower or upper) bound is derived from a related (lower 
or upper) bound in the table. For example, the upper bound for the row DBA 
and columns UFA, M2MA and NFA are derived from the upper bound for the 
row DBA and column DFA. We now discuss the entries. 


5.1 Size increases for LTL formulas 


Upper bounds 

There is a “classic” algorithm, described by Baier and Katoen [3, Chapter 5], to 
translate an LTL formula of size n into a GNBA of size 2” with at most n sets 
of final states, which then yields an NBA of size at most n2”. This shows that 
every LTL formula represents a regular w-language, and gives an upper bound 
for translating an LTL formula to an NBA. Another algorithm to translate LTL 
formulas into NBAs is given by Gerth, Peled, Vardi and Wolper [11]. 
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via UFA Prop. 1 
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[14] 
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2” 4273" 
[14] 


Fig. 3: Worst-case size bounds for representations of regular w-languages. 


Concerning the classic translation algorithm, Bousquet and Léding [6] give a 
brief argument and state that “Hence the automaton that is constructed in this 
standard way is strongly unambiguous.” Wilke [21] states that “Every tempo- 
ral formula with n subformulas can be translated into an equivalent backwards 
deterministic generalized Biichi automaton with at most 2” states and as many 
Biichi sets as there are subformulas with leading temporal operator F (eventu- 
ally) or U (until).” To clarify these earlier statements, we reformulate them in 
our terminology. This gives an upper bound for transforming an LTL formula to 
a GSUBA. 


Proposition 1. Leto be an LTL formula of size n with temporal operators next 
and until, with m until subformulas. Applying the classic translation algorithm 
to d yields a GSUBA of size 2” with m sets of final states. 


Proof. Baier and Katoen [3] show that the algorithm yields a GNBA M of the 
given size in which each state corresponds to an assignment of true or false to 
every subformula of ¢. Moreover, if the w-word w is accepted from a state q, 
then q assigns true to each subformula w of @ iff w is true for w. Hence there 
is at most one state of M from which the w-word w is accepted, and thus M is 
also GSUBA. 


To get an upper bound for translation of LTL formulas to UFAs, M2MAs, 
and NFAs, we would like to use the property of being strongly unambiguous. 
However, if the resulting GSUBA has more than one set of final states, trans- 
forming it in the usual way into an NBA does not in general yield a SUBA. 
Instead, we generalize to GSUBAs the method of Bousquet and Léding [6] for 
transforming a SUBA accepting L into a UFA accepting Ls. 
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Theorem 1. There is an algorithm to transform a GSUBA of size n with m 
sets of final states accepting L into a UFA of size 2"n? +n accepting Lg. It runs 
in time polynomial in n and 2™. 


Proof. Let L be accepted by the GSUBA M = (X,Q,I, A, F) with n = |Q| 
and m = |F|. We index the elements of F as F; for i € [1..m]. Bousquet and 
Löding [6, Lemma 1] show that u(v)” is accepted by a SUBA iff there exists a 
state q reachable from an initial state on reading u, such that on the word v 
there is a computation path that loops from q back to q while passing through 
an accepting state. For the GSUBA M, the condition is that the computation 
path that loops from q back to q must pass through at least one state from each 
F; for i € [1..m]. 

We define an NFA M’ = (X',Q',T', A’, F') as follows. The alphabet is 3” = 
X U {$}. The state set is Q’ = Q U Q1, where Qı = {(m,¢2,5) | q1, 2 EQ, SC 
[1..m]}. The initial states are I’ = I. The transition relation is A’ = AU A1 U43, 
where A; is the set of all triples ((q1,¢2,5),0,(¢,, 95, S')) such that q = q, 
(q2,0,95) € A, and S = SUT, where T = {i € [l.m] | q3 € Fi}. And 43 
contains all triples (q, $, (q,q,@)) such that q € Q. The set of final states F” is 
the set of triples (q1, q2, S) such that S = [1..m] and qı = q2. 

Then M’ has 2""n? +n states, and can be constructed in time polynomial in 
n and 2” given the GSUBA M. On an input u$v, the NFA M’ behaves like M 
on the word u, reaching some state q. Then on the symbol $, M’ transitions to 
the state (q, q, Ø), recording the state q reached after reading u. As M’ continues 
reading v, the first component remembers q while the second component transi- 
tions as in M. The third component, S, records the set of indices of those final 
sets F; that have been visited in the processing of v. The input u$v is accepted 
by M” iff there is a state q of M reachable from a state of J on input u such that 
there exists a computation path in M on input v from q to q that visits at least 
one state in F; for every i € [1..m]. Thus M’ accepts Lg. (Note that the set S 
generalizes the single bit used in Bousquet and Léding’s construction.) 

To see that M’ is a UFA, we note that if there are two different accepting 
computations in M’ for u$v, then these may be used to construct two different 
accepting computations in M for u(v)”, contradicting the fact that M is a 
GSUBA. 


The entry in Fig. 3 for row LTL and column UFA is then justified by the 
following. 


Corollary 3. Let ¢ be an LTL formula of size n with temporal operators next 
and until, with m until subformulas. Then there is a UFA of size 227+™ +2” to 


accept L(@)g. 


For transforming LTL to DFA, we have only the doubly-exponential bound 
for transforming an LTL formula to a UFA and the UFA to DFA. 


Lower bounds 
We first generalize Lemma 3 to DBAs and Lemma 4 to NBAs. An observation 
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table for an w-language L is a matrix T € {0,1}**™ with rows indexed by finite 
words x; for i € [1..4] and columns indexed by w-words y; for j € [1..m] such 
that Ti; = 1 iff siy; E€ L. Then we have the following, proved analogously to 
Lemma 3 and Lemma 4. 


Lemma 7. Let T be an observation table for the w-language L. If T has n 
distinct rows, then any DBA accepting L has at least n states. 


Lemma 8. Let T be an observation table for the w-language L. If the minimum 
1-cover of T has cardinality n, then any NBA to recognize L has at least n states. 


Baier and Katoen [3, Theorem 5.4.2] give a lower bound for a family of LTL 
formulas ¢,, of size poly(n) for which equivalent NBAs must have at least 2” 
states. Below we give a simplified and slightly strengthened version of their lower 
bound, which also applies to M2MAs or NFAs for Lg. 


Theorem 2. For every positive integer n there exists an LTL formula Yn of 
size at most 2n +6 such that any NBA accepting L(Yn) must have size at least 
2”. Any NFA or M2MA accepting L(Yn)g must have size or dimension at least 
2m, 


Proof. Let p be a propositional variable. For any positive integer n we define 
the LTL formula Yn = Olp > O” (p) ^ Gp > O"(=p)). We use O” 
to represent the composition of © with itself n times, so ©3(p) abbreviates 
O(O(O(p))). The formula Yn has size 2n+6. Let the symbols 0 and 1 represent 
the assignment of false and true to p. Then L(w,,) is the language of w-words w 
over {0,1} such that for some x € X”, w = a”. 

For L(Yn)g, let £1, £2,..., £27 be any total ordering of all the elements of 
{0,1}", and consider the observation table T with rows corresponding to x; and 
columns corresponding to $x; for i € [1..2"]. Clearly, there is exactly one 1 in 
row zi, in the column $2;, so this observation table is the 2” x 2” identity matrix, 
which has rank 2”, and any NFA or M2MA accepting L(w,,)g must have size at 
least 2” by Corollary 1. 

For the lower bound on NBAs, we observe that if we instead index the 
columns of T with (x;)“, it becomes an observation table for the w-language 
L(wv,), and remains the 2” x 2” identity matrix, which implies that any NBA 
accepting L(¢,) must have at least 2” states, by Lemma 8. 


5.2 Size increases for DBAs, NBAs, SUBAs 


Upper bounds 

For an NBA of n states accepting L, Calbrix, Nivat and Podelski [7] show that 
there is a DFA of 2” + 2?”°+” states to accept Dg. Kuperberg, Pinault and 
Pous [14] give a more concise construction that yields for Lg an NFA of size 
n+n3” and a DFA of size 2” + 2"3”". For the conversion of an NBA of n 
states to a SUBA, Carton and Michel provide the upper bound of (12n)” [8]. 
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Starting with a DBA instead of an NBA, the NFA construction of Kuperberg, 
Pinault and Pous is fully deterministic, so the upper bound of n+ n3”? holds for 
transforming a DBA into a DFA. Bousquet and Léding [6] show that a SUBA of 
n states accepting the w-language L may be transformed into a UFA of 2n? +n 
states accepting Lg. 


Lower bounds 


For transforming a DBA for L into a DFA for Lg, Angluin and Fisman [2] prove 
that for every n there is a DBA of n+2 states accepting a language L such that 
no DFA of fewer than n! states accepts Lg. For transforming a DBA into a UFA, 
M2MA or NFA, we prove the following result. 


Theorem 3. For every even positive integer n there is an w-language Ln that 
is accepted by a DBA of n+ 5 states such that any UFA, NFA or M2MA to 
accept (Ln)g must have size or dimension at least (pipes which is ~ 2” /,/an/2. 


Proof (Sketch). The proof uses a modification of the DBAs in the construction 
by Angluin and Fisman [2]. Here we sketch the main idea and give an example. 
Let n = 2k for some nonnegative integer k, let Xok = {o1,...,02,} and let X 
be Xp, U {0, L, E, F}. Consider the regular w-language defined by the w-regular 
expression (Usex\{o} (0: (X \ {o})*- a))” , which is accepted by a DBA with 
2k +5 states. Given two subsets C and D of 39x, each of size k, we define words 
uc and vp such that (uc: vp)” is in the language if and only if C = D. The 
main idea behind the construction is that vp forces each symbol op in Xə \ D 
to be followed by the character 0. Thus, if the string preceding (and including) 
an occurrence of such a symbol øp is described by the (unambiguous) regular 
expression (Use syto} 7: (X \ {o})* + a)", then the symbol 0 that follows cannot 
be properly consumed, resulting in the w-word being not in the language. We 
construct the words uç and vp in such a way that this can happen if and only if 
such a symbol op € 34 \ D is also in C. Since C and D are subsets of Xp, each 
of size k, this happens exactly when C # D. There is therefore an observation 
table with rows indexed by $uc for all subsets C of size k and whose columns are 
indexed by vp for all subsets D of size k, and where each entry, corresponding 
to row and column subsets C and D respectively, is 1 if and only if C = D. By 
Corollary 1, the result follows. 


Example. Let Xo, = {1,2,3,4}, let X be te = Pade Po eg Lg 
XU {0, L, E, F}, let C = {2,3}, and let D= v¢=L-B-1-0-4-0-E 
{2,4}. Then uc, vc and vp are defined on the vp=L-E-1-0-3-0-E 
right. Then (uc-vc)” is in the language, whereas (uc-vp)” is not (since C Æ D). 


For the lower bound on transforming a DBA into a SUBA, Bousquet and 
Léding [6] show that for every positive integer n there exists an w-language that 
is accepted by a DBA with n+ 1 states, and cannot be accepted by a SUBA 
with fewer than 2”~! states. 
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For transforming a SUBA into a DFA, Angluin, Antonopoulos and Fisman [1, 
Theorem 5] give a family of w-languages such that Ln is accepted by a SUBA 
of size 4n + 5, but any DFA to accept (LZ,)g or its reverse must have size at 
least 2”. For transforming a SUBA into a UFA, M2MA or NFA, we prove the 
following asymptotically tight lower bound. 


Theorem 4. For every positive integer m greater than 3, there is an w-language 
L that is accepted by a SUBA with m states, but no M2MA of dimension less 
than 2m? — m + 2 or NFA or UFA of size less than 2m? — m + 2 accepts (L)g. 


Proof (Sketch). For every n € N we define Lẹ, to be the regular w-language over 
X = {a,b,c} given by the expression ((cc-b”)*-aa-b")”. This language is accepted 
by a SUBA Sn, with m = n +3 states. We construct a specific observation table 
M for the language (L,,)g. We then show that any 1-rectangle cover of M is of 
size at least 2m? — m + 2, which implies by Lemma 4 that the number of states 
of any NFA (or UFA) for the language (L,)g is at least 2m? — m +2. We further 
show that the rank of M is 2m? — m + 2, and by Lemma 3, obtain that the 
dimension of any M2MA for this language is also at least 2m? — m +2. 


6 Empirical results 


We report typical size increases in going from a random SUBA, DBA or NBA 
acceptor for a regular w-language L to a minimized M2MA (and DFA, in the 
case of a SUBA) for Lg. We also report computed sizes of minimized M2MAs 
and DFAs for L(¢,,)g for members of particular families {¢,,} of LTL formulas. 
Code is available in the GitHub repository: 

https: //github.com/nevingeorge/Learning_Automata. 

For the generation of random SUBAs, DBAs or NBAs, our procedure is 
as follows. Given parameters n, f, and t we generate a transition relation on 
n states (random reverse-deterministic for a SUBA, random deterministic for a 
DBA, and all possible transitions for an NBA), select f of the n states at random 
to be final, and randomly remove t of the transitions. The resulting transition 
relation is trimmed to remove non-live states and their transitions. The trimmed 
acceptor may have fewer than n states. 

If the goal is a SUBA, using the criterion of Wilke [21], we check that there 
do not exist two different states qı and q2 and a nonempty finite word v such 
that for i = 1,2, there is a loop on v from q; to qi that passes through a final 
state. If the acceptor fails this test, it is rejected, and the procedure is repeated 
until a SUBA is successfully generated. 


6.1 SUBAs to minimized M2M<As and DFAs 


For random SUBAs to minimized M2MAs, we first generate a random SUBA 
with X = {a,b,c}, n € {5, 10,15}, t € {[1, 5], [2, 10], [18, 22]} (resp.), and f = 2 
or f = 3 with equal probability. We then convert it into a UFA using the 
algorithm of Bousquet and Léding [6], and minimize the equivalent M2MA. 
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Minimized M2MA Dimension Minimized M2MA Dimension 


120 


400 — Experiment results 


— M2MA upper bound 


SUBA Size Input Automata Size 


2 4 6 8 10 : 2 4 6 8 10 
Fig. 4: Random SUBAs to minimized M2MAs Fig. 5: Random SUBAs, NBAs, and DBAs to 
minimized M2MAs 


e SUBA to minimized DFA 


— DFA upper bound 


— SUBA to minimized M2MA 


— Log of SUBA to 
minimized DFA 


SUBA Size | SUBA Size 
4 6 8 10 3 4. «6 8 w 


Fig. 6: Random SUBAs to minimized DFAs 


We performed the above process on approximately 220,000 randomly generated 
SUBAs. 


Fig. 4 is a plot of the average minimized M2MA dimension for each trimmed 
SUBA size from 1 to 10. Upon performing quadratic regression, we obtain the 
orange curve 1.212n? — .2248n, and the blue curve is the theoretical upper bound 
of 2n? +n given in Fig. 3. The quadratic fit has a R? of 0.9996 while a linear fit 
has a R? of 0.9370, suggesting that the growth is indeed quadratic. This curve 
satisfies the theoretical upper bound of 2n? + n, and suggests that the lower 
bound of N(n?) holds on average. 


For random SUBAs to minimized DFAs, we also calculated the number of 
reachable states of each minimized M2MA. This is the number of states in the 
equivalent minimized DFA, by a property of the minimization algorithm of Corol- 
lary 2. From Fig. 3, the lower bound in going from a SUBA to a DFA is 22”), 
and the upper bound is 2” + gngn 


In the left graph in Fig. 6, the blue data points representing the results of 
the SUBA to DFA experiment grow much more sharply than the results of the 
SUBA to M2MA experiment, so it is clear that a SUBA can be represented more 
concisely as an M2MA than as a DFA on average. Upon taking the log (base 2), 
we obtain a roughly linear fit as seen in the right graph with equation .7196n + 
1.738 and a R? of .9841, suggesting that on average the growth is exponential. 
The standard deviation and range of converted DFA sizes was large for this 
conversion, making it difficult to make firm claims about the growth. However, 
the data suggests that the exponential lower bound likely holds on average, and 
that in general the upper bound of 2” + 2737” is a severe overestimate. 
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6.2 NBAs and DBAs to minimized M2MAs 


For NBAs and DBAs, a minimized M2MA is computed using the M2MA learning 
algorithm of Beimel et al. [4], which makes membership and equivalence queries 
to the NBA or DBA. Instead of exact equivalence queries, we use approximate 
equivalence queries, implemented by testing membership agreement on a sample 
of randomly generated ultimately periodic words. Thus, the dimension of the 
learned M2MA may be an underestimate of the true minimum dimension of an 
M2MA for Lg. 

For the NBA/DBA to M2MA experiments, we generated approximately 1000 
random NBAs/DBAs with X = {a,b,c}, n € {5,...,10}, t € [0,n] for DBAs 
and t in ranges within [90,680] for NBAs, and f = 2 or f = 3 with equal 
probability. For the approximate equivalence queries, we tested 1000 random 
ultimately periodic words of length at most 25. The results of the experiments 
can be seen in Fig. 5. The fitted NBA and DBA curves are quadratic with 
equations 1.096n? — .8947n and 1.318n? — 1.392n, respectively. The quadratic 
fits for the NBA and DBA results have a R? of .9954 and .9961, respectively, 
while linear fits have a R? of .9227 and .9118, respectively. These experiments 
have limitations: the use of approximate equivalence queries, the small sample 
size (because of the time requirements of the learning algorithm), and the large 
standard deviation and range of converted M2MA sizes. However, the results 
from all three conversions are very similar, suggesting that in these conditions, 
SUBAs, NBAs, and DBAs don’t vary significantly on average with respect to 
their equivalent M2MA representations. 


6.3 LTL formulas to minimized M2MAs 


Random LTL formulas seem not to provide much insight, so we consider spe- 
cific families of LTL formulas: bounded request /grant formulas and two families 
based on the hierarchy of Manna and Pnueli |15], namely obligation and reac- 
tivity formulas. Empirically, for each of the first few members of each family we 
calculate the minimum dimension of an M2MA and the minimum size of a DFA 
accepting the corresponding Lg language, and use the online tool provided by 
the Spot website (https: //spot.Irde.epita.fr/) to find an w-language acceptor for 
the corresponding L. (Omitted Spot entries exceeded the limit on calculation 
time.) 

The canonical request/grant formula is of the form O(p > (q)), which 
asserts that whenever a request (p) is made, it is eventually granted (q). In the 
bounded version, a number of steps n is specified, and the assertion is that the 
request is granted within n steps. Thus, for each natural number n, we have a 
formula Rn = O(p > (4 V Ola) V O2(q) V ... V O"(qg))). The table in Fig. 7a 
gives the resulting sizes and dimensions for n from 0 to 5. It is reasonable to 
conjecture n + 1 for the size of a DBA, n? + 3n + 3 for the minimum dimension 
of an M2MA, and 2n? + 3n + 4 for the minimum size of a DFA representing Rp. 

The family of obligation formulas we consider is: Fa = A?_, (Opi VOq). Using 
conjunction and minimization, we calculate the minimum dimension M2MA (and 
minimum size DFA) for Lg for these formulas for n up to 5. The table in Fig. 7b 
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n|DBA|M2MA|DFA 

oF 1 3 | 4 n|DBA|M2MA|DFA n|GNBA|M2MA|DFA 
if 2 7 19 if 3 7 | 9 TaD 5 | 6 

a} 3 | 13 | 18 2h 9 | 19 | 23 20,2) 11 | 12 

3) 4 | 21 | 31 3] 27 | 55 |63 3/ (28,3); 29 | 30 
4 5 | 31 | 48 4 81 | 163 | 179 aq, = 83 | 84 
5. 6 | 43 | 69 5 — | 487 [519 5) — | 245 | 246 


(a) Rn sizes. (b) Fn sizes. (c) Gn sizes. 


Fig. 7: Size or dimension of acceptors for families of LTL formulas. 


shows the results. It is reasonable to conjecture 3” for the size of a DBA, 2-3” +1 
for the minimum dimension of an M2MA, and 2-3" + 2” + 1 for the minimum 
size of a DFA to represent Fh. 

The family of reactivity formulas we consider is: Ga = A?_,(OOp; V 00g). 
We proceed as for the obligation formulas, with the results shown in the table 
in Fig. 7c. Note that these formulas cannot be represented by DBAs, but are 
instead represented by GNBAs, which may have multiple sets of final states. For 
example, the entry (10,2) indicates a GNBA with 10 states and 2 sets of final 
states. A reasonable conjecture in this case is (3"+1,n) for the size of a GNBA, 
3” + 2 for the minimum dimension of an M2MA, and 3” + 3 for the minimum 
size of a DFA representing Gn. 

In these cases, the minimum dimension of an M2MA (and size of a DFA) 
appears to grow at most as a polynomial in the size of an w-language acceptor, 
quadratically for the bounded request/grant family, and linearly for the obliga- 
tion and reactivity families. 


7 Summary and conclusions 


We provide a survey of size relations of M2MAs as a representation of regular 
languages and regular w-languages, as well as empirical results for several of 
these relations. New theoretical results include an improvement of the lower 
bound for transforming an M2MA to an NFA, an upper bound of 20“ for the 
translation of an LTL formula of size n to a UFA, NFA, or M2MA, a lower bound 
of 2°(”) for the translation of a DBA of n states to an M2MA or NFA, and an 
asymptotically optimal lower bound of 2n? — n + 2 for the translation of a SUBA 
of n states to an M2MA or NFA. 

M2MAs have many advantages as a representation for regular w-languages: 
determinism, succinct complementation, and polynomial time algorithms for 
minimization, equivalence testing, and learning with membership and equiva- 
lence queries. M2MAs are as succinct as DFAs, sometimes exponentially more 
so, and deserve further study. 
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Abstract. Static analyses are mostly designed to show the absence of 
bugs: if the analysis reports no alarms then the program won’t exhibit any 
unwanted behaviours. To this aim they manipulate over-approximations 
of program semantics and, inevitably, they often report some false alarms. 
Recently, O’Hearn proposed Incorrectness Logic, that is based on under- 
approximations, as a formal method to find bugs that only reports true 
alarms. In this paper we aim to answer one important question raised 
by O’Hearn, namely which role can Abstract Interpretation play for the 
development of under-approximate tools for bug catching. In principle, 
Abstract Interpretation based static analyses can be defined for comput- 
ing over-approximations as well as under-approximations, but in practice, 
most techniques exploited the former while few attempts developed the 
latter. To show why it is difficult to design effective under-approximation 
abstract domains, we first propose the new definitions of non emptying 
functions and highly surjective function family and then we formally 
prove the limits of under-approximation analysis by showing the non ex- 
istence of abstract domains able to approximate such functions in a non 
trivial way. Our results outline the limits of under-approximation Ab- 
stract Interpretation and clarify, for the first time, why over- and under- 
approximation analyzers exhibited such a different development. 


Keywords: Abstract Interpretation, Under-approximation, Abstract do- 
mains, Impossibility results 


1 Introduction 


Static program analyses are techniques used to infer properties of programs di- 
rectly from their source code, without executing them. They have been studied 
and successfully applied for over 50 years [12,3,13,1,10,17,18,22,23,4] to pro- 
duce effective methods and tools to support the development of correct soft- 
ware. For all these years, the main focus of static analysis was to prove the 
absence of bugs by computing over-approximations (supersets of all possible 
behaviours) of the semantics of programs: the absence of unwanted behaviour 
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in the over-approximation guarantees the correctness of the program. However, 
over-approximations cannot be used to expose bugs, since any alert raised by 
the analyser may be caused by the over-approximation rather than by the pro- 
gram, i.e. it can be a so called false alarm. From the point of view of a software 
developer, false alarms are undesirable because they undermine the credibility 
and usefulness of the analysis. In principle, there is a symmetrical approach to 
static analysis, that is to compute an under-approximation of the semantics, i.e., 
a subset of all possible behaviours of a program. Dually to over-approximations, 
under-approximations can then expose defects in the code, while they are unable 
to show their absence. 

Early works on static analysis, like Hoare logic [13], focused on over-approx- 
imation to prove the absence of errors, and maybe their influence directed the 
focus toward over-approximations. Recently O’Hearn argued for the relevance 
of bug catching with respect to correctness proofs and proposes the Incorrect- 
ness Logic [19], a dual version of Hoare logic thought from the ground up for 
under-approximation. He also advocates for a similar change of perspective in 
the static analyses approach. 

For instance, consider the simple code 


for(i = 0; i < 5; ++i) sum += 1000 / (2 * i) + 100 / (2 * i- 5); 


An abstract analysis based on the domain Int of intervals allows to over-approxi- 
mate the set of possible values each variable can take as the smallest interval that 
contains such values. When applied the above program, the analysis may detect 
that the value of variable i is between 0 and 4 within the body of the loop, so 
that the arithmetic expression 2 * i is then over-approximated by the interval 
[0,8] while 2 * i - 5 by the interval [—5, 3]. This raises two warnings for possi- 
ble division by zero, since it seems that both arithmetic expression may assume 
the value 0. It is worth noting that while the warning on the first expression is a 
true alarm, the warning on the second one is a false alarm. On the contrary, an 
analysis based on under-approximation will never raise a warning for the second 
expression since no value of i can cause an error in this case, However, not all 
under-approximations will detect the problem with 2 * i, because any subset 
of {0, 2,4,6,8} is a valid under-approximation, including e.g. {2, 4, 6, 8}. 


The Problem: Abstract Interpretation [6,22,4] is a general framework to define 
sound analyses based on constructive approximations that found its way through 
many aspects of modern computer science, such as verification, optimization, se- 
curity and program transformation. Given its broad applicability, in his paper 
on Incorrectness Logic [19], O’Hearn leaves as an open question whether Ab- 
stract Interpretation could “eventually play a guiding and explanatory role for 
a wide range of static and dynamic under-approximate tools for bug catching, 
similar to what it already does for over-approximate analyses”. The goal of this 
work is to investigate this topic. The results we have achieved will establish that 
under-approximation based Abstract Interpretation analyses have serious intrin- 
sic limitations, and therefore our contribution can be read as a negative answer, 
even if we will then discuss how to overcome some limits. 
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Related Work: In their first works on Abstract Interpretation [6], Cousot and 
Cousot introduced the formal theory that could be used to define either over- 
or under-approximations. However, while the former has been extensively stud- 
ied, there have been only sparse studies on the latter. Bourdoncle [2] proposed 
abstract debugging using over-approximation domains, but acknowledged that 
under-approximation ones could be better suited. Lev-Ami et al. [14] proposed 
to use complements of over-approximation domains to infer sufficient precondi- 
tion for program correctness. For the same goal, Miné [15] used directly over- 
approximation domains, giving up the best abstraction and handling the choice 
of a maximal one with heuristics. To infer necessary condition for incorrectness, 
a problem similar to O’Hearn’s but studied for a different goal, Cousot et al. 
[9,8] use Abstract Interpretation techniques but on boolean formulas, hence by- 
passing the issue of defining an abstract domain. Schmidt [24] uses higher-order 
domains, defining abstract states with meaning “there exists a value satisfying 
this over-approximation property”, hence giving rise to an under-approximation 
of over-approximations. In conclusion, all the above approaches design under- 
approximation domains starting from over-approximation ones, and, to the ex- 
tent of our knowledge, there are no abstract domains thought from the ground 
up for under-approximation. So the question whether it is possible to design an 
abstract domain for computing under-approximations naturally arises. 


Contributions: We believe the absence of under-approximation abstract domains 
to be caused by intrinsic difficulties in their design. In this article, we determine 
and explain the reasons behind these difficulties. In the following we point out 
some intuitive asymmetries that suggest why under-approximations are not as 
immediate to use as over-approximations for program analysis. 

While over- and under-approximation can be thought as dual theories, they 
have a deep asymmetry when dealing with the semantics of basic constructs of 
the language, the so called basic transfer functions. For instance, given an over- 
approximation abstract domain, we can define an under-approximation domain 
by taking the opposite interpretation of abstract elements: the idea is that an 
abstract element represents all concrete elements that may not be present in the 
set of possible values. As a consequence of being an under-approximation, this 
means that all the other concrete elements (the complement of the set) must be 
actual values. Considering the abstract domain of (complemented) intervals, it 
happens, e.g. that an arithmetic expression such as a sum of variables is often 
under-approximated as the whole Z. It is also worth noticing that, while basic 
transfer functions are the same, over-approximation abstract domains are closed 
under intersection, while under-approximation abstract domains are closed under 
union and can grow large very easily. 

Another asymmetry we point out is the handling of divergence. Divergence 
is represented in over- and under-approximation by the same abstract element 
L, but note that L as an under-approximations also represents the absence of 
information (dually to T in over-approximations). This becomes a problem since 
many concrete functions are strict, that is, when applied to a non-terminating 
expression, they also fail to terminate (they return L if one argument is L), and, 
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to be a correct under-approximation, also the corresponding abstract function 
needs to be strict. This implies that whenever the analysis can’t determine any 
meaningful information at some program point, it has to propagate this absence 
of information along all program paths, at least until a join in the control flow 
is found. So “recovery” from L, that is, producing a result different from L, 
once we start with it, is very hard in an under-approximation. Note that, on the 
contrary, “recovery” from T in an over-approximation is quite easier, e.g. by a 
constant assignment. 

The previous arguments are substantiated by formal impossibility results for 
building meaningful under-approximation abstract domains. First, we introduce 
the new definition of non emptying function, describing functions that don’t 
tamper the analysis and we prove that no abstract domain for integers can be 
constructed that makes all sums non emptying. Second, we propose two general- 
izations (one local and one global) of the result for integers domains to arbitrary 
concrete domains and function families, by introducing the notion of highly sur- 
jective function family, of which sums are an instance. The local condition applies 
to each function in the family, while the global condition is a property of the 
whole family. Finally, we study hypothesis for the existence of abstract domains 
making all functions in a family non emptying to show first that the hypothesis 
of high surjectivity is tight, and then that further conditions on the function 
family must hold. 


Structure of the paper: In Section 2 we introduce the notation used in the rest of 
the paper and recall the basics of Abstract Interpretation for over- and under- 
approximations. In Section 3 we apply our idea to the concrete domain of integers 
to show that, under some simple conditions, no under-approximation abstract 
domain can exist. In Section 4 we extend the result obtained for integers to 
arbitrary concrete domains and function families. In Section 5 we show that the 
hypothesis of high surjectivity is needed and explore other requirements for the 
function family. Section 6 contains some concluding remarks and an outline of 
future research directions. Due to space limitation, only informal proof sketches 
are included in this proceedings. 


2 Background 


Notation. We let P(S) denote the powerset of the set S and ids : S > S be the 
identity function on a set S. We omit subscripts when obvious from the context. 
If f : S — T is a function, then we overload the symbol f to denote also its 
additive extension f : P(S) + P(T) defined as f(X) = {f(x)|a € X} for any 
X C S. We say a function f : S —> S is acyclic if, for any element x € S and 
any n > 0, we have f"(x) Æ x, where f” denotes composition of f with itself n 
times. In ordered structures, such as posets and lattices, we usually denote the 
ordering with <, least upper bounds (lubs) with U, greatest lower bounds (glbs) 
with M, least element with L, greatest element with T. If < is an order relation, 
>= is the opposite relation, defined as s > t if and only if t < s. We write just 
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S for the poset (S, <) whenever the order relation < is known from the context 
and we use S°P to denote the opposite poset (S, >=): hence S°P denotes the same 
set as S, but S°P comes equipped with the opposite ordering relation =. Given 
a poset T and two functions f,g: S —> T, the notation f < g means that, for 
all s € S, f(s) < g(s). Any powerset is a complete lattice with ordering given 
by the inclusion relation. In this case, we use standard symbols C, U, etc. 


Abstract Interpretation. Abstract Interpretation [6,7,16] is a general framework 
to define sound-by-construction static analyses, with the main idea of approxi- 
mating the program semantics on some abstract domain A instead of working on 
the concrete domain C. The main tool used to study Abstract Interpretations 
are Galois connections. Given two complete lattices C and A, a pair of monotone 
functions a: C —> A and y: A —> C define a Galois connection (GC) when 


Yee Cae A. alc) Xa = cx qla) 


and we denote it with (C a A). We call C and A, respectively, the concrete and 
the abstract domain, a is the abstraction function and y is the concretization 
function. In any GC, idc < yoa, ao7y < idy, y preserves glbs and a preserves 
lubs. In particular, this means that y(T 4) = Tc and dually a(Lc) = La. 

A GC in which ao y = id, is called Galois insertion (GI), and if this is the 
case also a is onto and y is injective. By this last property, there is a bijection 
between A and 7(A), and using this isomorphism, whenever we consider a GI 
we identify A and its y-image so that A becomes a subset of C and y = ida, 
written as (C s A). A GI is said to be trivial if A is the concrete domain or it 
only contains Ta 

Given a monotone function f : C + C and a GC (C S A), a function 


fË: A— A is a correct (or sound) approximation of f if ao f < fË oa. Its best 
correct approximation (bca) is f4 = ao f o y, and it is the most precise of all 
the correct approximation of f. 

As an example, let us consider C = P(Z) be the powerset of integers and 
A = Int be the abstract domain of intervals [6]. Elements of Int are finite intervals 
[n,m] with n < m, or infinite intervals of the form [—oo, m] or [n, co], together 
with the empty interval L. The top element is [—oo, co]. Intervals are ordered 
by inclusion, the concretisation function y is defined as usual, while the abstrac- 
tion function a maps a set of integers to the smallest interval that contains it. 
If f(x) = |a| is the absolute value function, one of its sound abstractions is 
f*({n, m]) = [0, max(|n], |m|)] because the interval [0, max(|n|, |m|)] always con- 
tains the entire set f(S) when n = min(S) and m = max(S). However this is 
not the best possible abstraction: for instance on S = {1} this yields [0, 1] while 
f(S) = {1}. Actually the best correct abstraction f^ is computed as 


(0, max(|n|,|m|)] ifn<0<m 
F^ (in, m]) = a o f o y(n, m]) = 4 [n,m] if0<n 
[-m, —n] ifm<0 
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2.1 Under-approximation Galois Connections 


The definition of GC is not symmetric in y and a: it favours over-approximation, 
and is not suited to describe under-approximations. This can be more easily 
seen from the property idc < yo a, that means the abstraction y(a(c)) of a 
concrete element c is greater than (ie. an over-approximation of) c itself. For 
this reason we introduce the notion of under-approximation Galois connection 
(UGC). Formally, an UGC is just a GC between A and C, in the reverse order, or 
equivalently a GC in which we replaced C and A with C°P and A°P. However, we 
believe this definition to allow a better notation, helping the reader’s intuition. 
Given two complete lattices C and A, a pair of monotone functions a: C —> A, 
y: A —> C defines an UGC between C and A when 


Yee Cae A. axa(c) 4> 7a) xc 


and we denote such UGC with (C = A). Note the different positions of arrows 
and their super/subscripts when compared with a GC (C = A). The difference 


0 Que 


) Over-approximation GC ) Under-approximation GC 


Fig. 1: Sketches of GC and UGC 


between a GC and an UGC is sketched in Figure 1: in the GC (on the left) y is 
above and a below, while in the UGC (on the right) the two are reversed. Using 
the duality observed above, from standard properties of GCs we get, reversing 
inequalities, that yoa < idc, ida < ao y, y preserves lubs and œ preserves 
glbs. Moreover, an under-approximation Galois insertion (UGI) is an UGC in 
which ao y = id4, and has the properties of a being onto and y being injective, 
making the same identification of A with y(A) possible, written as (C = A). In 


particular, this means that in an UGI on a concrete powerset (P(C) = A), for 


all a,a’ € A, y(aU a’) =aUd’, that is A is closed under union. 
Dually to standard, over-approximation GCs, given a monotone function f : 
a 
C — C and an UGC (C G A), a function f? : A > A is a correct (or sound) 
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abstraction of f if ao f > f? oa. Again, f4 = ao f oy is the best correct 
approximation of f. 

As an example, let us take again C = P(Z) and A = Into be the set of 
integer intervals around 0, ie. Into = {J € Int|0 € I} U{L}. This is an under- 
approximation abstract domain because it contains | and is closed under union: 
the union of intersecting intervals is an interval too, and all elements of Into 
intersects at 0. If again f(a) = || is the absolute value function, its bca f4 is 
fA([n,m]) = [0,max(|nJ,|m])] since it’s always the case that n < 0 < m. 


3 Integer Domains 


In this section we focus on under-approximations of integer domains and prove 
that any under-approximation abstract domain will mostly return trivial analy- 
ses for programs that include sums inside arithmetic expressions. 

To this aim, we introduce the concept of non emptying function. 


Definition 1 (Non emptying function). Let (C = A) bean UGC, f :C > C 
a monotone function and f^ = ao foy its bca. We say that f is non emptying (in 
A) if, for any concrete value c, a(c) # L and a(f(c)) 4 L imply fA(a(c)) Æ L. 


Remember that L does not give any interesting information in the under-ap- 
proximation setting, because it can mean divergence as well as complete loss of 
precision. On the contrary, any abstract element different than L means “some- 
thing” interesting. The rationale behind the definition of non emptying function 
is that if the analysis starts from something (a(c) # L) and it can find something 
(a(f(c)) 4 L) then it will find at least one of the possible results (f4(a(c)) # L), 
thus not falling to L and avoiding the issues discussed in the Introduction. The 
meaning of Definition 1 is illustrated by the following toy example. 


Example 2. Consider the simple imperative fragment 
if (x Æ 0) then { while (x < 10) { y :=7 /x; x :=x +1; }} 


where a careless programmer used the condition x Æ 0 instead of the expected 
x > 0: on any initial state where x is negative the program incurs a division by 
0 error. 

For the analysis, suppose x is an integer value and consider the domain 
Into: = {Z € Int|OEIV1e J} U{L}, a variation of Into such that each interval 
in Into, must contain at least one of 0 and 1. By an argument similar to that 
for Into it can be shown that Into; is closed under union (since 0 and 1 are 
consecutive values in the integer domain), and thus is an under-approximation 
domain. 

Assume to start the analysis in this domain with the initial condition [—1; 10] 
for variable x: remember that this being an under-approximation analysis, the 
abstract state [—1;10] means that x may assume all the values in that interval 
at the beginning of the code fragment. In the concrete execution, the filter x 4 0 
then produces the concrete set of values c = {—1,1,2,...,10}, but the abstract 
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interpreter must abstract this to its largest subset that is an interval containing 
0 or 1, that is [1; 10]. The abstract analysis of the cycle then proceeds straightfor- 
wardly, finding L after one iteration of the loop body (since after the increment 
the set of values for x is {2,3,...,11} that is abstracted to L because it doesn’t 
contain neither 0 nor 1) and so the abstract fixpoint of the loop [1; 10]. This yields 


no error, even though the concrete execution starting at x = —1 does indeed fail 
after one iteration. The issue here is that the semantics f of the increment x := 
x +1 is not non emptying in Into,: on the concrete value c = {—1,1,2,...,10}, 


its input in this program, we have a(f(c)) = a({0,2,3,...,11}) = [0] 4 L but 
fA (a(c)) = FA((L 10) = a(l; 10]))) = a({2,8,...,11}) = 1. 


For the remainder of the paper we assume a set of concrete values C, an UGI 
(P(C) = A) with concrete domain P(C), and we say an element S € P(C) is 
representable if it belongs to A, or equivalently if a(S) = S. 


Definition 3. Let S CC be a subset of C. We say that d € C is representable 
with S if SU {d} is representable. We call R(S) the set of elements of C repre- 
sentable with S, ie. 


R(S) = {d € Cl a({d} US) = {d} US} 


For the sake of brevity, we shall write R for R(@), the set of representable values 
of C, and R(c) for R({c}) where c € C is any concrete value. The following 
is a technical lemma valid for non emptying functions, that explains the role 
played by Definition 1 in proving all our negative results (Propositions 7, 10 and 
Theorems 12, 15). 


Lemma 4. Let f : C — C be non emptying, c E R and the pair {c,é} be not 
representable, ie. € ¢ R(c). If f(@) € R then also f(c) € R. 


The main proof line of all our impossibility results is the same, and exploit this 
Lemma. All our results requires the size of the abstract domain to be compa- 
rable with that of the set of concrete values C (whose powerset P(C) is the 
concrete domain), and this in turn implies that representable elements are few. 
Then, assuming that all functions in a certain family are non emptying, we use 
repeatedly Lemma 4 to get many new representable elements, thus finding a 
contradiction. The key issues in the proofs are two: first, it must be possible to 
apply Lemma 4; second, all the new representable elements obtained applying 
it must be different from one another. In the following, we present some sets of 
conditions that are able to guarantee these two points, hence getting hypothesis 
for non existence of under-approximation abstract domain. 


3.1 Infinite Integer Domain 
As a first example, we consider the infinite domain P(Z) of integers. 


Assumption 5 We assume that an abstract domain A, to be feasible for anal- 
yses, must be at most countable. 
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We make this assumption because we want to represent abstract elements with 
an amount of bits comparable with that of concrete values, to have a complexity 
comparable with a single concrete execution of the program and not exponen- 
tially larger. Thus, we require the size of the abstract domain to be that of Z, 
the set of values handled by the program, and not the concrete domain P(Z). 
Many abstract domains satisfy it, for instance intervals, octagons and polyhe- 
drons with at most n edges, for any n; some, such as general polyhedrons, don’t, 
but they also exhibit a worst case exponential cost. 

Based on Assumption 5, we prove a simple cardinality estimate that is used, 
as anticipated before, to prove that there are few representable elements. 


Lemma 6. For any fixed subset S C Z, R(S) is finite. 


The result for integers now shows that no under-approximation abstract domain 
makes all sums non emptying. The idea of the proof is to define an infinite 
sequence of representable elements, that is in contradiction with the previous 
lemma that says that R is finite. In order to define such a sequence, we want 
to use Lemma 4: we start from an initial representable no and from a value ñ 
not representable with it, then find a non-emptying f that maps ñ into no, so 
that f(n) is representable and we can then apply the lemma to get the new 
representable element f(no). We then iterate this procedure, changing f, to 
build the infinite sequence. We believe the hypothesis that there exists an initial 
representable value is not very restrictive since initializations like x = 0 must 
be abstracted to L if 0 is not representable. 


Proposition 7. Let (P(Z) = A) be an UGI, and assume that there is an integer 
no that is representable. Then it can’t be the case that all the functions of the 
form falx) =x +n are non emptying in A. 


The meaning of this proposition for program analysis is the fact that a domain 
small enough (by Assumption 5) is probably unable to deduce meaningful in- 
formations on an integer domain: if it doesn’t contain representable singletons 
it must abstract to L any variable initialization, and otherwise it can’t be non 
emptying for all sums, hence getting L when values are manipulated using this 
operation. In both cases, because of strictness, the abstract L is propagated 
along program paths, yielding it as the final result of the analysis, that means 
exactly it can’t determine any information. This issue is not bound to manifest 
for all programs, but for any domain there exists programs for which it does. 


3.2 Finite Integer Domain 


An analogous result can be obtained for a finite integer domain P([—N; N]), 
where N is some big integer. This concrete domain models machine integers, that 
are constrained within an interval, so we assume that operations are performed 
in machine arithmetic, that is wrapping around in case of overflows. This is 
modelled working modulo 2N + 1, the length of the interval, and taking the 
unique representative of each congruence class in the interval [—N, N] of interest. 
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It is worth noting that the interval is taken symmetric around 0 to simplify 
notation, but there is no conceptual difficulty in using an asymmetric one. 


Assumption 8 We assume that an abstract domain A, to be feasible, must have 
a cardinality that is polynomial in N. 


This assumption guarantees that the number of bits required to represent an 
abstract element is linear in that for concrete elements so that, again, the cost of 
the analysis is polynomial and not exponential in that of a concrete execution. 

In the following we’ll use asymptotic notation for some quantities. For this 
to be completely formal we should define a sequence of abstract domain Ay, 
each one for the concrete domain P([—N, N]), then define a sequence of values 
for each quantity we want to estimate, and take the limit of this sequence for 
N going to infinity. However we do believe all these formal details would clutter 
notation, making hard to get insight. For this reason, we avoid all this, just 
(ab)using the intuitive meaning associated with the notation. 

The next lemma is analogous to Lemma 6 in proving that some sets are small 
under Assumption 8 on the cardinality of A. 


Lemma 9. For any fixed subset S C Z, |R(S)| = O(log(N)). 


The following proposition uses the same proof line as Proposition 7 above: we 
define a sequence of representable elements, and prove that they are too many 
since, by the previous lemma, R is quite small. 


Proposition 10. Let (P([—N, N]) = A) be an under-approximation Galois in- 
sertion, and assume that there is an integer no that is representable. Then it can’t 
be the case that all the functions of the form fn(x) = x+n (modulo 2N +1) are 
non emptying in A. 


4 Arbitrary domains 


The definition of non emptying function is fully general and not limited to the 
concrete integer domain, hence we use it to propose conditions that are indepen- 
dent of the concrete domain. In this section, we deal with an infinite set C of 
concrete values, and an UGI (P(C) 2 A). Again, we take the Assumption 5 on 
the size of A. Under this assumption we can prove again Lemma 6, that doesn’t 
depend on the specific integer domain considered in the previous section. 

All conditions we propose in this section are mainly on the family of functions 
considered and not on the abstract domain. The reason for this is that first we 
fix a function family, corresponding to a program, and then we look for a domain 
well suited to analyse the specific family at hand. In other words, the family is 
given by the applicative context, while the domain can be adapted to it. 


Definition 11 (Highly surjective function family). Given a family F of 
functions from C to itself and an element c € C, let 


P(c)={deClafe F. f(d) =c} 
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be the set of preimages of c, elements of C that can be mapped to c by a function 
in F. We say that the family F is highly surjective if P(c) is infinite for any 
possible choice of cE C. 


This property is needed together with Lemma 6 to apply Lemma 4 and get a new 
representable element: since there are infinite preimages of c but R(c) is finite, 
there are elements č € P(c) not in R(c); then by definition of P(c) there is an f 
such that f(¢) = c € R, so we can apply the lemma to get f(c) € R. The reason 
for requiring f (2) = c instead of just in R is that, at the beginning of the proof, we 
only assume R to contain one element, hence the two conditions are equivalent. 
Starting from this basic idea, we present two set of sufficient conditions to prove 
the non existence of any under-approximation abstract domain. 


4.1 Local Requirements for Impossibility 


The first set of conditions we propose is in a sense more “local” , in that it requires 
conditions on each function in the family F independently on the other. 


Theorem 12. Let F be an highly surjective function family from C to itself 
such that all functions f € F are either injective or acyclic. Assume also that R 
isn’t empty. Then A can’t be non emptying for all f € F. 


In the previous section we developed an ad hoc proof for the family of sums 
over integers, but the same result can also be obtained as an application of this 
theorem: if C = Z and F = {Av.a+n|n € Z}, the family is highly surjective 
(actually P(c) = Z for all c) and all these functions are injective, so it meets the 
hypothesis of the theorem. Another example are rational or real numbers, with 
sums or products 


Example 13. Take C = Q \ {0} and F = {Az.x -q|q € Q\ {0}}. The family 
is highly surjective since P(c) = Q \ {0} for all c, and all these functions are 
invertible, hence injective. 


A possibly more interesting example of application is to floating-point numbers 
as described by the IEEE Standard. 


Example 14. Take C = F \ {0} the set of non-zero floating-point numbers that 
can be represented with a fixed number of significant digits, say t bits, but 
with an arbitrary precision exponent. We make the choice of infinite precision 
exponents and finite number of significant digits in order to have an infinite 
domain, as required by the theorem, but also preserve characteristics of floating- 
point arithmetic. 

Let - and © denote respectively real product and its floating-point approxi- 
mation, and consider the function family F = {Az.x © y|y € C}. The function 
family is highly surjective, eg. considering that all numbers with the same signifi- 
cant digits as a floating-point x but different exponent can be mapped into x mul- 
tiplying them by 1 times the difference of exponents. For the second condition, 
if y = +1 we have that the function Ax.x © y is invertible, hence injective. Oth- 
erwise, assume without loss of generality that y > 1 (other cases are analogous), 
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and by contradiction assume it has a cycle f” (zo) = zo. By monotonicity of © we 
have f(z) =x@y>2O1=z, hence zo < f(x0) < f?(xo) < --- < f” (x0) = £o 
so all the elements of the cycle are equal, in particular f(a) = xo. However, 
if y Æ 1, the product x © y is never equal to x, that is a contradiction. Hence 
the function is acyclic. This means F meets hypothesis of Theorem 12, hence no 
abstract domain on floating-point numbers can be non emptying for all multi- 
plications. 


4.2 Global Requirements for Impossibility 


The second set of conditions we propose is “global”, in the sense that it requires 
the family F to satisfy a property as a whole. 


Theorem 15. Let F be an highly surjective function family from C in itself 
such that 


— for all pair of elements c,d € C there exists at most a finite amount of f € F 
such that f(d) =c 

— for all pair of an element c € C and a function f € F, there exists at most 
a finite amount of elements d E€ C such that f(d) = c 


Assume also that R isn’t empty. Then A can’t be non emptying for all f E€ F. 


Again this result can be used to prove the impossibility of building an ab- 
stract domain for integers that is non emptying for all sums, or for floating-point 
numbers. 


Example 16. Take C = F \ {0} the set of non-zero floating-point numbers with 
t bits significands and arbitrary precision exponents, and F = {x.x © y|y € 
F \ {0}}. As observed in Example 14 this family is highly surjective. Fixed 
now two floating-point numbers x,y, and letting u be the machine precision of 
floating-point arithmetic, we have that y = f(x) = x © z only if 
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This is a bounded interval since x 4 0, and hence contains only a finite amount 
of floating-point numbers. Analogously, fixed a floating-point y and a function 
f(x) = Oz, we have that y = xOz only if |x| belong to a bounded interval, that 
contains a finite amount of floating-point numbers. So, by means of Theorem 15 


above, we proved again that no abstract domain on floating-point numbers can 
be non emptying for all multiplications. 
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5 On the necessity of high surjectivity hypothesis 


Both sets of conditions we proposed in this section require the function family 
to be highly surjective. This turns out to be necessary in order to prove that no 
under-approximation abstract domain exists: 


Proposition 17. For any fixed family F of functions from C to itself that is 
not highly surjective, there exists an abstract domain Ar for P(C) such that 


— Ap is finite 
— all functions f € F are non emptying in Ar 


Moreover, the proof of this proposition is constructive, and we present an exam- 
ple of such construction in the following. 


Example 18. Fix the pair of functions f(z) = x — 1 and g(x) = x — 2 on Z. 
The family F = {f,g} is clearly not highly surjective, so we build an under- 
approximation abstract domain for which these functions are non emptying. 
First, take an integer no such that P(ng) (computed with respect to F) is finite. 
With this F, any integer is fine, so let us fix no = 0. 

The set of preimages of 0 is P(0) = {1,2}. We define the abstract domain 
Ap as 


Ar = {0} U{X U {0}|X c P(0)} = {O, {0}, {0, 1}, {0, 2}, {0,1, 2}} 


In this abstract domain, a set is abstracted to @ if and only if it doesn’t contain 
0 since all elements of Ar but Ý contains 0 and the abstraction of a set must be 
a subset of that set. 

To check that f is non emptying in Ap fix a set S C Z. If a(S) = @ the 
non emptying condition is vacuously true, so assume this is not the case, that is 
equivalent to 0 € S. Analogously, if a(f(S')) = Ø the condition is true, so assume 
0 € f(S) or, equivalently, 1 € S. Using these two we get 


f*(a(S)) = a(f(a(S))) [def. of f4] 
D a(f(a({0, 1}))) la, f monotone, S > {0, 1}] 
= a(f({0, 1})) [a({0, 1}) = {0, 1}] 
= a({—1,0}) = {0} (def. of f and a] 


The check for g is analogous. 


Even though this proposition defines an under-approximation abstract domain, 
it shouldn’t be interpreted as a positive result since the resulting domain is 
almost a power set and hence too large to be feasible in practice. Instead, the 
proposition should be regarded as a way to show that one of the hypothesis 
required in the previous theorems is tight and can’t be weakened. In particular, 
since these kind of results need high surjectivity, they are ill suited when the 
focus is on a single function. 
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This proposition can be generalized to consider sets S C C whose preimages 
are finite, but a little care is needed when lifting the definition of preimages to 
sets of values: a preimage is a set for which there exists a function that maps it 
to S, not the union of the preimages of elements in S: 


P(S) ={T CClAfe F.f(T) = S} 


Using this definition, the proposition generalizes straightforwardly: 


Proposition 19. Let F be a family of functions from C in itself, and assume 
there is a set So C C such that P(So) is finite. Then there exists a finite abstract 
domain Ar for P(C) such that all functions f € F are non emptying in Arp. 


This proposition may for instance be applied to the concrete domain of finite 
lists to show that a natural function family to consider can’t be used to prove 
non existence of under-approximation domains using non emptying functions. 


Example 20. Fix the concrete domain C as the set of all lists of finite length 
over a finite, non-empty alphabet I, i.e. C = I*. For a € I™ a finite string, let 


concat, (8) = af 
the function that prefix a to its argument. The family 
F = {concat, |a € I*} 


is not highly surjective, because fixed a string y only its prefixes can be mapped 
into it by a function in F, and they are a finite amount. Hence we can define 
an under-approximation abstract domain for which all these functions are non 
emptying by means of Proposition 19. Such domains are defined with a con- 
struction similar to that of Example 18, and in particular, if €e is the empty list, 
considering the set So = {€} whose preimage is only So itself, the construction 
yields 
Ar = {0, {e}} 

It’s easy to check that all functions concat, are non emptying in this abstract 
domain. 


The previous proposition focuses on preimages, stating that if there is a con- 
crete element that has a finite amount of them then it is possible to define an 
under-approximation domain. A natural dual of this proposition can be formu- 
lated in terms of images. For a subset S C C, the set of its images is 


T(S) = {f(S) | f € F} 


This definition is exactly dual to that of preimages, and can actually be used to 
formulate a similar result. 


Proposition 21. Let F be a family of total functions (ie. if S AM then f(S) £ 
0) from P(C) in itself, and assume there is a non empty set So C C such 
that I(So) is finite. Then there exists a finite abstract domain Apr such that all 
functions f € F are non emptying in Ap. 
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Even though this proposition introduces the technical hypothesis that all f € F 
are total, we don’t believe this to be very restrictive because these theorems 
are intended to be applied when F is a family of basic transfer functions, that 
seldom introduce divergence: in programming languages this is often caused by 
control-flow constructs. An application of this proposition is again on lists, to 
rule out another natural function family. 


Example 22. Fix again C = I™, and consider functions drop,, : T* — I™ that, 
taken a list, drop its first n elements and return the resulting list. If the input 
list is shorter than n, the output of drop, is the empty list e. The function family 


F = {drop,, |n € N} 


is highly surjective since, for any fixed list a € I* and any n, we can extend 
a with any n character, and map this list to a with drop,,. However, images 
through this function family are finite: 


I(a) = {drop„ (a) |n € N} 


that is finite since it’s the set of all tails of œ. Hence by Proposition 21 we can 
define an under-approximation abstract domain such that all functions drop,, 
are non emptying. Again, these domains are constructed from sets So with a 
finite amount of images, and considering Sp = {e€}, that satisfies [(So) = {€}, it 


yields 
Ar = {0, {e}} 
Again it can be easily checked that all functions drop,, are non emptying in Ar. 


These two propositions consider opposite situations in which it is possible 
to define an under-approximation domain: the former requires to be able to go 
backward using F in infinitely many ways, while the latter to go forward. This 
often isn’t the case in the presence of “boundaries” in the concrete domain, that 
are points with respect to which functions tend to walk either up or away: for 
instance, € is such a point with finite strings because concat functions go away 
from it while drop go towards. Another example of such boundary is 0 in the 
domain of integers Z with respect to multiplications and (rounded) divisions: 
the former increase absolute value, moving away from 0 (even though 0 itself 
is never a preimage), while the latter decrease it. Also considering a function 
family made of both kind of functions doesn’t work: a slight adaptation of the 
constructions for the two propositions above shows that, if F can be partitioned 
in two subfamilies, each satisfying the hypothesis of one of the two propositions, 
then there exists an under-approximation abstract domain. An example of this 
is in the set of finite lists, taking as F both concat and drop functions. The 
construction then yields exactly Ar = {0, {e}}, for which all these functions are 
non emptying, as shown in Examples 20 and 22. In light of these observations, in 
order to apply effectively the definition of non emptying function to prove non 
existence of abstract domains, for all possible boundaries there is the need for a 
function that is able to both enter and exit it. This happens for integers, since 
there is no boundary, but doesn’t for finite lists, with {e€} being often either a 
sink or a source for many functions on lists. 
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6 Conclusions and Future Works 


Until recently, the focus of formal static analyses has been on over-approximation 
to prove program correctness, but many tools based on this theory are instead 
deployed to catch bugs [23,10]. Incorrectness Logic promoted the study of a 
theory for under-approximation to give a formal basis to a new class of tools. 
This has seldom been done in the last few decades, especially in the framework 
of Abstract Interpretation. In our work, we point out some asymmetries between 
over- and under-approximation in Abstract Interpretation, and why those are 
an obstacle to the design of abstract domains. We have identified functions as 
the main difference, because they remain the same in both over- and under- 
approximation thus preventing one theory to be obtained simply as a dual of 
the other. Handling of divergence is another critical issue. Building on those 
ideas, we have proposed the new (to the extent of our knowledge) definition of 
non emptying function and studied how it can be used to prove non existence of 
under-approximation abstract domains. We have presented some general results, 
and applied them to integer and floating point domains to conclude that, under 
some assumptions, there are no useful under-approximation domains. Then, we 
have found conditions under which there do exist under-approximation abstract 
domains, showing that some of the hypothesis required in our theorems are very 
tight. However, because of the scarcity of works in this direction, we believe there 
are many possible subjects for future research. 

Under-approximation abstract domains must be closed under union, but 
known abstract domains are rarely such. However disjunctive completion [11], a 
known domain transformer, refines any abstract domain in a union-closed one. 
This has been studied for over-approximation in order to improve precision at 
the expense of increased complexity. A solution to keep the analysis feasible is 
to use heuristics to prune disjunctions, trading back complexity for precision, 
but making the analysis possible for under-approximations. Moreover, practical 
tools based on the theory of Incorrectness Logic already use heuristic to drop 
logical disjunctions [19], so taking inspiration from them may be effective also 
for Abstract Interpretation. 

In their recent work, Raad et al. [20] study incorrectness separation logic, the 
join of separation logic [21] and Incorrectness Logic. They notice that the origi- 
nal separation logic doesn’t distinguish a pointer known to be dangling from one 
about which it has no information, and they introduce a new kind of heap asser- 
tion for dangling pointers. This issue is reminiscent of the difference between di- 
vergence and no information we incur into in Abstract Interpretation. This may 
suggest the introduction of a similar distinction also in under-approximation 
domains, but a new point different from describing divergence needs a con- 
cretization, and no such element exists in a power set other than Ø. However, in 
Abstract Interpretation it happens at times that more general concrete domains 
allow more flexibility in the abstraction (eg. as proposed for higher-order func- 
tional languages [5]), so it may be worth to investigate the possibility to change 
the concrete domain to account for this new point. 
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All our results depend on the existence of a representable value. This assump- 
tion is motivated by the analysis performed, but is not a requirement of Abstract 
Interpretation itself. A way to remove this hypothesis may be to consider repre- 
sentable sets of minimal cardinality because functions defined as additive exten- 
sions don’t increase cardinality, so they might take the place of singletons. The 
technical issue is if and how Lemma 4 can be generalized, but we believe it may 
be possible to relax that hypothesis about singletons. 

We have discussed the finite domain of integers at the end of Section 3, but 
all our general results deal with infinite concrete domains. Both theorems rely on 
cardinality estimates essentially based on the fact that arbitrary combinations 
of finite numbers is still finite, hence less than the cardinality of the concrete 
domain. However, with a finite concrete domain those would be replaced by 
combinations of logarithmic factors, which may become equal to the size of 
the concrete domain. For finite domains we can prove a result reminiscent of 
Theorem 15, but this topic requires thorough investigation to understand the 
new issues and possibilities they open up. 
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Abstract. The purpose of this paper is to introduce a notion of causality in 
Markov decision processes based on the probability-raising principle and to ana- 
lyze its algorithmic properties. The latter includes algorithms for checking cause- 
effect relationships and the existence of probability-raising causes for given effect 
scenarios. Inspired by concepts of statistical analysis, we study quality measures 
(recall, coverage ratio and f-score) for causes and develop algorithms for their 
computation. Finally, the computational complexity for finding optimal causes 
with respect to these measures is analyzed. 


1 Introduction 


As modern software systems control more and more aspects of our everyday lives, they 
grow increasingly complex. Even small changes to a system might cause undesired 
or even disastrous behavior. Therefore, the goal of modern computer science does not 
only lie in the development of powerful and versatile systems, but also in providing 
comprehensive techniques to understand these systems. In the area of formal verifi- 
cation, counterexamples, invariants and related certificates are often used to provide 
a verifiable justification that a system does or does not behave according to a specifi- 
cation (see e.g., [30,16,32]). These, however, provide only elementary insights on the 
system behavior. Thus, there is a growing demand for a deeper understanding on why 
a system satisfies or violates a specification and how different components influence 
the performance. The analysis of causal relations between events occurring during the 
execution of a system can lead to such understanding. The majority of prior work in 
this direction relies on causality notions based on Lewis’ counterfactual principle [29] 
stating the effect would not have occurred if the cause would not have happened. A 
prominent formalization of the counterfactual principle is given by Halpern and Pearl 
[21] via structural equation models. This inspired formal definitions of causality and 
related notions of blameworthiness and responsibility in Kripke and game structures 
(see, e.g., [15,11,14,40,19,41,7]). 

In this work, we approach the concept of causality in a probabilistic setting, where 
we focus on the widely accepted probability-raising principle which has its roots in 
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Table 1. Complexity results for MDPs and Markov chains (MC) with fixed effect set 


for fixed set Cause find optimal cause 
check PR compute quality values covratio-optimal 
condition (recall, covratio, f-score) | = recall-optimal f-score-optimal 
poly-space 
SPR EP poly-time poly-time poly-time for MC 
threshold problem € NPN coNP 
ly-space 

€ PSPACE : po 

GPR poly-time threshold problems € PSPACE and NP-hard 


and € P for MC 


and NP-complete for MC 


philosophy [38,39,18,22] and has been refined by Pearl [35] for causal and probabilis- 
tic reasoning in intelligent systems. The different notions of probability-raising cause- 
effect relations discussed in the literature share the following two main principles: 


(C1) Causes raise the probabilities for their effects, informally expressed by the re- 
quirement “Pr( effect|cause ) > Pr( effect)”. 
(C2) Causes must happen before their effects. 


Despite the huge amount of work on probabilistic causation in other disciplines, re- 
search on probability-raising causes in the context of formal methods is comparably 
rare and has concentrated on Markov chains (see, e.g., [24,25,6] and the discussion of 
related work in Section 3.2). To the best of our knowledge, probabilistic causation for 
probabilistic operational models with nondeterminism has not been studied before. 

We formalize the principles (C1) and (C2) for Markov decision processes (MDPs), 
a standard operational model combining probabilistic and non-deterministic behavior, 
and concentrate on reachability properties where both cause and effect are given as sets 
of states. Condition (C1) can be interpreted in two natural ways in this setting: On one 
hand, the probability-raising property can be locally required for each element of the 
cause. Such causes are called strict probability-raising (SPR) causes in our framework. 
This interpretation is especially suited when the task is to identify system states that 
have to be avoided for lowering the effect probability. On the other hand, one might want 
to treat the cause set globally as a unit in (C1) leading to the notion of global probability- 
raising (GPR) cause. Considering the cause set as a whole is better suited when further 
constraints are imposed on the candidates for cause set. This might apply, e.g., when the 
set of non-terminal states of the given MDP is partitioned into sets of states S; under the 
control of an agent i, 1 < i < k. For the task to identify which agent’s decisions cause 
the effect only the subsets of S;,...,S, are candidates for causes. Furthermore, global 
causes are more appropriate when causes are used for monitoring purposes under partial 
observability constraints as then the cause candidates are sets of indistinguishable states. 

Different causes for an effect according to our definition can differ substantially 
regarding how well they predict the effect and how well the executions exhibiting the 
cause cover the executions showing the effect. Taking inspiration from measures used 
in statistical analysis (see, e.g., [36]), we introduce quality measures that allow us to 
compare causes and to look for optimal causes: The recall captures the probability that 
the effect is indeed preceded by the cause. The coverage-ratio quantifies the fraction of 
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the probability that cause and effect are observed and the probability that the effect but 
not the cause is observed. Finally, the f-score, a widely used quality measure for binary 
classifiers, is the harmonic mean of recall and precision, i.e., the probability that the 
cause is followed by the effect. 


Contributions. The goal of this work are the mathematical and algorithmic founda- 
tions of probabilistic causation in MDPs based on (C1) and (C2). We introduce strict 
and global probability-raising causes in MDPs (Section 3). Algorithms are provided to 
check whether given cause and effect sets satisfy (one of) the probability-raising con- 
ditions (Section 4.1 and 4.2) and to check the existence of causes for a given effect 
(Section 4.1). In order to evaluate the coverage properties of a cause, we subsequently 
introduce the above-mentioned quality measures (Section 5.1). We give algorithms for 
computing these values for given cause-effect relations (Section 5.2) and characterize 
the computational complexity of finding optimal causes with respect to the different 
measures (Section 5.3). Table 1 summarizes our complexity results. An extended ver- 
sion of this paper containing the omitted proofs can be found in [8]. 


2 Preliminaries 


Throughout the paper, we will assume some familiarity with basic concepts of Markov 
decision processes. Here, we only present a brief summary of the notations used in the 
paper. For more details, we refer to [37,9,23]. 

A Markov decision process (MDP) is a tuple M = (S,Act,P, init) where S is a finite 
set of states, Act a finite set of actions, init € S the initial state and P : S x Act x S > [0,1] 
the transition probability function such that }_ <s P(s,«,t) € {0, 1} for all states s € S 
and actions « € Act. An action « is enabled in state s € S if ) „cs P(s,a,t) = 1. We 
define Act(s) = {œ | «is enabled in s}. A state t is terminal if Act(t) = @. A Markov 
chain (MC) is a special case of an MDP where Act is a singleton (we then write P(s, u) 
rather than P(s, ~, u)). A path in an MDP M is a (finite or infinite) alternating sequence 
T = Sọ Xo S1 X1 $2--- E (S x Act)* U (S x Act)” such that P(si, %i,Si+1) > O for all 
indices i. A path is called maximal if it is infinite or finite and ends in a terminal state. 
An MDP can be interpreted as a Kripke structure in which transitions go from states to 
probability distributions over states. 

A (randomized) scheduler © is a function that maps each finite non-maximal path 
S0o&X0... Xn—1Sn to a distribution over Act(sn). G is called deterministic if G(7t) is a 
Dirac distribution for all finite non-maximal paths 7. If the chosen action only depends 
on the last state of the path, G is called memoryless. We write MR for the class of mem- 
oryless (randomized) and MD for the class of memoryless deterministic schedulers. 
Finite-memory schedulers are those that are representable by a finite-state automaton. 

The scheduler G of M induces a (possibly infinite) Markov chain. We write Pree F 
for the standard probability measure on measurable sets of maximal paths in the Markov 
chain induced by G with initial state s. If ọ is a measurable set of maximal paths, then 


Prits (9) and Prin (@) denote the supremum resp. infimum of the probabilities for @ 


under all schedulers. We use the abbreviation Pro = Pre, init ANd notations Pr and 


prain for extremal probabilities. Analogous notations will be used for expectations. So, 
if f is a random variable, then, e.g., ES. (f) denotes the expectation of f under © and 
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Ent (f) its supremum over all schedulers. We use LTL-like temporal modalities such as 
© (eventually) and U (until) to denote path properties. For X, T C S the formula XUT is 
satisfied by paths 7t = sgs;... such that there exists j > 0 such that for all i < j : sı E€ X 
and sj € T and OT = SUT. It is well-known that Prin (XUT) and Pry (XUT) and 
corresponding optimal MD-schedulers are computable in polynomial time. 

If s € S and « € Act(s), then (s, x) is said to be a state-action pair of M. An end 
component (EC) of an MDP M is a strongly connected sub-MDP containing at least 
one state-action pair. ECs will be often identified with the set of their state-action pairs. 
An EC € is called maximal (abbreviated MEC) if there is no proper superset €’ of (the 
set of state-action pairs of) € which is an EC. 


3 Strict and global probability-raising causes 


We now provide formal definitions for cause-effect relations in MDPs which rely on 
the probability-raising (PR) principle as stated by (C1) and (C2) in the introduction. We 
focus on the case where both causes and effects are state properties, i.e., sets of states. 

In the sequel, let M = (S, Act, P, init) be an MDP and Eff C S \ {init} a nonempty set 
of terminal states. (As the effect set is fixed, for the analysis of cause-effect relationships 
in M it suffices to assume all effect states are terminal by (C2).) Furthermore, we may 
assume that every state s € S is reachable from init. 

We consider here two variants of the probability-raising condition: the global set- 
ting treats the set Cause as a unit, while the strict view requires the probability-raising 
condition for all states in Cause individually. 


Definition 1 (Global and strict probability-raising cause (GPR/SPR cause)). Let 
M and Eff be as above and Cause a nonempty subset of S \ Eff. Then, Cause is said to 
be a GPR cause for Eff iff the following two conditions (G) and (M) hold: 


(G) For each scheduler © where Pr& (Cause) > 0: 

Pr&-( OEff | OCause ) > Pr9,(OEff). (GPR) 
(M) For each c € Cause, there is a scheduler © with Pr, ((=Cause) Uc) >0. 
Cause is called an SPR cause for Eff iff (M) and the following condition (S) hold: 


(S) For each state c € Cause and each scheduler © where PrS.((-Cause) Uc) >0: 
PrS,( OEfF | (=Cause)Uc ) > Pr9,(Eff). (SPR) 


Condition (M) can be seen as a minimality requirement as states c € Cause which 
are not accessible from init without traversing other states in Cause could be omitted 
without affecting the true positives (events where an effect state is reached after vis- 
iting a cause state, “covered effects”) or false negatives (events where an effect state 
is reached without visiting a cause state before, “uncovered effect”). More concretely, 
whenever a set C C S \ Eff satisfies conditions (G) or (S) then the set Cause of states 
c € C where M has a path from init satisfying (~C) Uc is a GPR resp. an SPR cause. 
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3.1 Examples and simple properties of probability-raising causes 


We first observe that SPR/GPR causes cannot contain the initial state init, since other- 
wise an equality instead of an inequality would hold in (GPR) and (SPR). Furthermore 
as a direct consequence of the definitions and using the equivalence of the LTL formulas 
Cause and (Cause) U Cause we obtain: 


Lemma 1 (Singleton PR causes). /f Cause is a singleton then Cause is a SPR cause 
for Eff if and only if Cause is a GPR cause for Eff. 


As the event Cause is a disjoint union of all events (~Cause) Uc with c € Cause, 
the probability for covered effects Pr&.( OEff | OCause ) is a weighted average of the 
probabilities Pr9, ( Eff | (-Cause) Uc ) for c € Cause. This yields: 


Lemma 2 (Strict implies global). Every SPR cause for Eff isa GPR cause for Eff. 


Example I (Non-strict GPR cause). Consider the Markov chain M depicted below 
where the nodes represent states and the directed edges represent transitions labeled 
with their respective probabilities. Let Eff = {eff}. Then, Prac (Eff) = 5 + 4 . i + b = 
5» Pry (QEff|Oc1) = Prov,c, (Oeff) = 1 and Pr (OEff|Oc2) = Prac,c, (eff) = }. Thus, 
{c1} is both an SPR and a GPR cause for Eff, while {c2}is not. The set Cause = {c1, c2} 
is a non-strict GPR cause for Eff as: 


Pr( OEff | OCause ) = (4 +4- 4)/4 +4) = (B)/(9) = 2 > 5 = Prac (Eff). 


The second condition (M) is obviously fulfilled. Non-strictness follows from the 
fact that the SPR condition does not hold for state c2. < 
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Example 2 (Probability-raising causes might not exist). PR causes might not exist, even 
if M is a Markov chain. This applies, e.g., to the Markov chain M with two states init 
and eff where P(init,eff) = 1 and the effect set Eff = {eff}. The only cause candidate 
is the singleton {init}. However, the strict inequality in (GPR) or (SPR) does not hold 
for Cause = {init}. The same phenomenon occurs if all non-terminal states of a Markov 
chain reach the effect states with the same probability. In such cases, however, the non- 
existence of PR causes is well justified as the events OEff and } Cause are stochastically 
independent for every set Cause C S \ Eff. < 


Remark 1 (Memory needed for refuting PR condition). Let M be the MDP in Figure 1, 
where the notation is similar to Example | with the addition of actions «, 8 and y. Let 
Cause = {c} and Eff = {eff}. Only state s has a nondeterministic choice. Cause is not 
an PR cause. To see this, regard the deterministic scheduler T that schedules 8 only for 
the first visit of s and « for the second visit of s. Then: 


Pry, (Oeff) = 5-5 +4414 = & > F = Prfy(OefflOc) 
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Fig. 1. MDP M from Remark 1 Fig. 2. MDP M from Remark 2 


Denote the MR schedulers reaching c with positive probability as G} with Gy(s)(«) 
= à and ©, (s)(B) =1—A for some A € [0, 1[. Then, Pry, (Oeff) > 0 and: 


Pre (Oeff) = 1- Pry, (Oeff) < Pry, (Oeff) = PrYa.(Oeff) = Prive (OefflOc) 


Thus, the SPR/GPR condition holds for Cause and Eff under all memoryless schedulers 
reaching Cause with positive probability, although Cause is not an PR cause. < 


Remark 2 (Randomization needed for refuting PR condition). Consider the MDP M of 
Figure 2. Let Eff = {eff unc, effcov} and Cause = {c}. The two MD-schedulers Gx and Gg 
that select x resp. þ for the initial state init are the only deterministic schedulers. As G x 
does not reach c, it is irrelevant for the SPR or GPR condition. Gg satisfies (SPR) and 


(GPR) as Pri}? (QEff|Oc) = 4 > t = Prs’® (OEFf). The MR scheduler T which selects 
œ and B with probability 5 in init reaches c with positive probability and violates (SPR) 


and (GPR) as Prx_(OEfflOc) = $ < 3 = 4+4- i 3 = Prig (QEff). < 


Remark 3 (Cause-effect relations for regular classes of schedulers). The definitions of 
PR causes in MDPs impose constraints for all schedulers reaching a cause state. This 
condition is fairly strong and might lead to the phenomenon that no PR cause exists. 
However, replacing M with an MDP resulting from the synchronous parallel compo- 
sition of M with a deterministic finite automaton representing a regular constraint on 
the scheduled state-action sequences (e.g., “alternate between actions « and {3 in state 
s” or “take x on every third visit to state s and actions f or y otherwise”) leads to a 
weaker notion of PR causality. This can be useful to obtain more detailed information 
on cause-effect relationships in special scenarios. For example at design time where 
multiple scenarios (regular classes of schedulers) are considered or for a post-hoc anal- 
ysis. For the later, one seeks causes of an occurred effect and the information about the 
scheduled actions is either extractable from log files or gathered by a monitor. < 


Remark 4 (Action causality and other forms of PR causality). Our notions of PR causes 
are purely state-based with conditions that compare probabilities under the same sched- 
uler. However, in combination with model transformations, the proposed notions are 
also applicable for reasoning about other forms of PR causality. 

Suppose, the task is to check whether taking action «& in state s raises the effect 
probabilities compared to never scheduling « in state s. Let Mo and M; be copies of M 
with the following modifications: In Mọ, the only enabled action of state s is œ, while 
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in M| the enabled actions of state s are the elements of Act (s) \{a}. Let now N be the 
MDP whose initial state has a single enabled action and moves with probability 1/2 to 
Mo and M. Then, action « raises the effect probability in M iff the initial state of Mo 
consitutes an SPR cause in N. This idea can be generalized to check whether scheduler 
classes satisfying a regular constraint have higher effect probability compared to all 
other schedulers. In this case, we can deal with an MDP XN as above where Mop and M: 
are defined as the synchronous product of deterministic finite automata and M. < 


3.2 Related work 


Previous work in the direction of probabilistic causation in stochastic operational mod- 
els has mainly concentrated on Markov chains. Kleinberg [24,25] introduced prima 
facie causes in finite Markov chains where both causes and effects are formalized as 
PCTL state formulae, and thus they can be seen as sets of states as in our approach. 
The correspondence of Kleinberg’s PCTL constraints for prima facie causes and the 
strict probability-raising condition formalized using conditional probabilities has been 
worked out in the survey article [5]. Our notion of SPR causes corresponds to Klein- 
berg’s prima facie causes, except for the minimality condition (M). Ábrahám et al [1] 
introduces a hyperlogic for Markov chains and gives a formalization of probabilistic 
causation in Markov chains as a hyperproperty, which is consistent with Kleinberg’s 
prima facie causes, and with SPR causes up to minimality. Cause-effect relations in 
Markov chains where effects are w-regular properties have been introduced in [6]. The 
notion relies on the strict probability-raising condition, but requires completeness in the 
sense that every path where the effect occurs has a prefix in the cause set. The paper [6] 
permits a non-strict inequality in the SPR condition with the consequence that causes 
always exist, which is not the case for our notions. 

The survey article [5] introduces notions of global probability-raising causes for 
Markov chains where causes and effects can be path properties. [5] s notion of reacha- 
bility causes in Markov chains directly corresponds to our notion GPR causes, the only 
difference being that [5] deals with a relaxed minimality condition and requires that the 
cause set is reachable without visiting an effect state before. The latter is inherent in our 
approach as we suppose that all states are reachable and the effect states are terminal. 

To the best of our knowledge, probabilistic causation in MDPs has not been studied 
before. The only work in this direction we are aware of is the recent paper by Dim- 
itrova et al [17] on a hyperlogic, called PHL, for MDPs. While the paper focuses on 
the foundation of PHL, it contains an example illustrating how action causality can be 
formalized as a PHL formula. Roughly, the presented formula expresses that taking a 
specific action « increases the probability for reaching effect states. Thus, it also relies 
on the probability-raising principle, but compares the “effect probabilities” under dif- 
ferent schedulers (which either schedule œ or not) rather than comparing probabilities 
under the same scheduler as in our PR condition. However, as Remark 4 argues, to some 
extent our notions of PR causes can reason about action causality as well. 

There has also been work on causality-based explanations of counterexamples in 
probabilistic models [27,28]. The underlying causality notion of this work, however, re- 
lies on the non-probabilistic counterfactual principle rather than the probability-raising 


On probability-raising causality in Markov decision processes 47 


condition. The same applies to the notions of forward and backward responsibility in 
stochastic games in extensive form introduced in the recent work [7]. 


4 Checking the existence of PR causes and the PR conditions 


We now turn to algorithms for checking whether a given set Cause is an SPR or GPR 
cause for Eff. As condition (M) of SPR and GPR causes is verifiable by standard model 
checking techniques in polynomial time, we concentrate on checking the probability- 
raising conditions (SPR) and (GPR). For Markov chains, both (SPR) and (GPR) can 
be checked in polynomial time by computing the corresponding probabilities. So, the 
interesting case is checking the PR conditions in MDPs. 

We start by stating that for the SPR and GPR condition, it suffices to consider sched- 
ulers minimizing the probability to reach an effect state from every cause state. 


Notation 1 (MDP with minimal effect probabilities from cause candidates). If C C 
S then we write Mic] for the MDP resulting from M by removing all enabled ac- 
tions of the states in C. Instead, Myc] has a new action y that is enabled exactly in 
the states s € C with the transition probabilities Py... (s,y, eff) = Pr (OEff) and 
Pii] (s,y, noeff) = 1—Prii’, (Eff). Here, eff is a fixed state in Eff and noeff a (pos- 
sibly fresh) terminal state not in Eff. We write Mie] if C = {c} is a singleton. 


Lemma 3. Let M = (S,Act, P, init) be an MDP and Eff C S a set of terminal states. Let 
Cause C S\ Eff. Then, Cause is an SPR cause (resp. a GPR cause) for Eff in M if and 
only if Cause is an SPR cause (resp. a GPR cause) for Eff in Micause}- 


4.1 Checking the strict probability-raising condition and the existence of causes 


The basis of both checking the existence of PR causes or checking the SPR condition 
for a given cause candidate is the following polynomial time algorithm to check whether 
the SPR condition holds in a given state c of M for all schedulers G with Pr, (Qc) > 0: 


Algorithm 2. Input: state c € S, set of terminal states Eff C S. 
Task: Decide whether (SPR) holds in c for all schedulers 6. 


Compute we = Pr” (OEff) and qs = Prvtiey.s (OEff) for each state s in Miej . 


jà 


. If dinit < Wc, then return “yes, (SPR) holds for c”. 

2. If dinit > We, then return “no, (SPR) does not hold for c”. 

3. Suppose qinit = We. Let A(s) = {œ € ACEM o (s)| qs = 2 tesia Prec) (s, x, t)- qe} 
for each non-terminal state s. Let Myy denote the sub-MDP of Mej induced by 
the state-action pairs (s,«) where a € A(s). 

3.1 If cis reachable from init in Mich» then return “no, (SPR) does not hold for c”. 
3.2 If cis not reachable from init in Mig» then return “yes, (SPR) holds for c”. 


Lemma 4. Algorithm 2 is sound and runs in polynomial time. 
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Soundness. Let N = Mye]. Soundness is obvious in case 1. For case 2, consider a real 


number A with 1 > A > ve and MD-schedulers T and G realizing Pry g (OEff) = qs 


and PrS (Oc) > 0 for all states s. We can combine Ẹ and G to a new MR-scheduler 4 
with the property that Prit-(Ot) = APrz,(Ot) + (1—-A)Pr$(Ot) for all terminal states t 
and for t = c. Then, 4 witnesses a violation of (SPR). For case 3.1 consider an MD- 
scheduler G of MeT where c is reachable from init via a G-path and Pry 5 (OEff) = qs 
for all states s. Then, (SPR) does not hold for c in the scheduler G. In case 3.2 we 
have PrS(Oc) = 0 for all schedulers G for N with Pr&(OEff) = init = Wc. But then 
PrS (0c) > 0 implies Pro (0 Eff) < we as required in (SPR). 


By applying Algorithm 2 to all states c € Cause and standard algorithms to check 
the existence of a path satisfying (~Cause) Uc for every state c € Cause, we obtain: 


Theorem 3 (Checking SPR causes). The problem “given M, Cause and Eff, check 
whether Cause is a SPR cause for Eff in M” is solvable in polynomial-time. 


Remark 5 (Memory requirements for refuting the SPR property). As the soundness 
proof for Algorithm 2 shows: If Cause does not satisfy the SPR condition, then there is 
an MR-scheduler © for Micause) Witnessing the violation of (SPR). Scheduler G cor- 
responds to a finite-memory (randomized) scheduler T with two memory cells for M: 
“before Cause” (where Z behaves as G) and “after Cause” (where T behaves as an 
MD-scheduler minimizing the effect probability form every state). < 


Lemma 5 (Criterion for the existence of probability-raising causes). Let M be an 
MDP and Eff a nonempty set of states. Then Eff has an SPR cause in M iff Eff has 
a GPR cause in M iff there is a state cy E€ S\ Eff such that the singleton {co} is an 
SPR cause (and therefore a GRP cause) for Eff in M. In particular, the existence of 
SPR/GPR causes can be checked with Algorithm 2 in polynomial time. 


4.2 Checking the global probability-raising condition 


Theorem 4. The problem “given M, Cause and Eff, check whether Cause is a GPR 
cause for Eff in M” is solvable in polynomial space. 


In order to provide an algorithm, we perform a model transformation after which the 
violation of (GPR) by a scheduler G can be expressed solely in terms of the expected 
frequencies of the state-action pairs of the transformed MDP under G. This allows 
us to express the existence of a scheduler witnessing the non-causality of Cause in 
terms of the satisfiability of a quadratic constraint system. Then we can restrict the 
quantification in (G) to MR-schedulers in the transformed model. We trace back the 
memory requirements to Micayse] and to the original MDP M yielding the second main 
result. Still, memory can be necessary to witness non-causality (Remark 1). 


Theorem 5. Let M be an MDP with effect set Eff as before and Cause a set of non- 
effect states such that condition (M) holds. If Cause is not a GPR cause for Eff, then 
there is an MR-scheduler for M cause] refuting the GPR condition for Cause in M cause] 
and a finite-memory scheduler for M with two memory cells refuting the GPR condition 
for Cause in M. 
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The remainder of this section is concerned with the proofs of Theorem 4 and Theo- 
rem 5. We suppose that both the effect set Eff and the cause candidate Cause are fixed 
disjoint subsets of the state space of the MDP M and that Cause satisfies (M). 


Checking the GPR condition (Proof of Theorem 4). The first step is a polynomial- 
time model transformation which permits to make the following assumptions when 
checking the GPR condition of Cause for Eff. 


(Al) Eff = {eff unc, effcoy} consists of two terminal states. 

(A2) For every state c € Cause, there is only a single enabled action, say Act(c) = {y}, 
and there exists we € [0,1] Q such that P(c, y, effcoy) = We and P(c, y, noeffs, ) = 
1—we¢ where noeff;, is a terminal non-effect state and noeffs, and effcoy are only 
accessible via the y-transition from the states c € Cause. 

(A3) M has no end components and there is a further terminal state noeff,, and an 
action T such that t € Act(s) implies P (s, T, noeff,,) = 1. 


Intuitively, eff... stands for covered effects (“Eff after Cause”) and can be seen as 
a true positive, while effunc represents the uncovered effects (“Eff without preceding 
Cause”) and corresponds to a false negative. Let G be a scheduler in M. Note that 
Pr&.((-Cause) UEff) = Pry, (Oeffunc) and Pre, (O(Cause/\ 0 Eff)) = Pr (Qeffcov). AS 
the cause states can not reach each other we also have Pr&. ((-Cause) Uc) = Pro (Oc) 
for each c € Cause. The intuitive meaning of noeffs, is a false positive (“no effect after 
Cause”), while noeff,,, stands for true negatives where neither the effect nor the cause is 
observed. Note that PrS.( (Cause ^ -OEff)) = Pr&.(Onoeff fp) and PrS.(=OCause ^ 
—OEff)) = PrS, (Onoefftn). 


Justification of assumptions (A1)-(A3): We justify the assumptions as we can trans- 
form M into a new MDP of the same asymptotic size satisfying the above assump- 
tions. Thanks to Lemma 3, we may suppose that M = M [Cause] (see Notation 1) without 
changing the satisfaction of the GPR condition. We then may rename the effect state 
eff and the non-effect state noeff reachable from Cause into eff oy and noefffp, respec- 
tively. Furthermore, we collapse all other effect states into a single state effunc and all 
true negative states into noeffi,. Similarly, by renaming and possibly duplicating ter- 
minal states we also suppose that noeff;, has no other incoming transitions than the 
y-transitions from the states in Cause. This ensures (A1) and (A2). For (A3) consider 
the set T of terminal states in the MDP obtained so far. We remove all end components 
by switching to the MEC-quotient [2], i.e., we collapse all states that belong to the same 
MEC € into a single state se while ignoring the actions inside €. Additionally, we add 
a fresh t-transition from the states se to noeff,, (ie., P(se,T, noeff,,) = 1). The t- 
transitions from states sg to noeff,, mimic cases where schedulers of the original MDP 
eventually enter an end component and stay there forever with positive probability. 
With assumptions (A1)-(A3), the GPR condition can be reformulated as follows: 


Lemma 6. Under assumptions (A1)-(A3), Cause satisfies the GPR condition if and only 
if for each scheduler © with Pr, (Cause) > 0 the following condition holds: 


Pr&. (Cause) - PrÅ, (Qeffunc) < (1— PrÅ( (Cause) ) )- J Prise (Oc)-We (GPR-1) 


c€ Cause 
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With assumptions (A1)-(A3), a terminal state of M is reached almost surely under 
any scheduler after finitely many steps in expectation. Given a scheduler G for M, the 
expected frequencies (i.e., expected number of occurrences in maximal paths) of state 
action-pairs (s, œ), states s € S and state-sets T C S under G are defined by: 


freqe(s,o) “= E$, (number of visits to s in which « is taken) 


ef 


freqe(s) = 2 sesat 46 (s, œ), freqe (T) = 2 fede (s). 


Let T be one of the sets {eff coy}, {effunc}, Cause, or a singleton {c} with c € Cause. As 
T is visited at most once during each run of M (assumptions (A1) and (A2)), we have 
Pr (OT) = freqe (T) for each scheduler ©. This allows us to express the violation 
of the GPR condition in terms of a quadratic constraint system over variables for the 
expected frequencies of state-action pairs in the following way: 

Let StAct denote the set of state-action pairs in M. We consider the following con- 
straint system over the variables xs. for each (s,«) € StAct where we use the short 
form notation xs =) gcAci(s) Xs. 


Xs 20 for all (s, x) € StAct (1) 
Xnet = 1+ DY Xtra: P(t o init) (2) 
(t,«) €StAct 
Xs = a Xt a P(t, x, s) for all s € S \ {init} (3) 
(t,o) €StAct 


Using well-known results for MDPs without ECs (see, e.g., [23, Theorem 9.16]), given 
a vector x € R°4“, then x is a solution to (1) and the balance equations (2) and (3) 
if and only if there is a (possibly history-dependent) scheduler G for M with Xs, = 
freqe(s, x) for all (s, x) € StAct if and only if there is an MR-scheduler G for M with 
Xs, x =freqe(s, x) for all (s, œ) € StAct. 

The violation of (GPR-1) in Lemma 6 and the condition Pre. (Cause) > 0 can be 
reformulated in terms of the frequency-variables as follows where Xcause is an abbrevi- 


ation for > cecause Xe: 


XCause * Xeffunc 2 (1 = REause) j 2 Xe’ We (4) 
c€Cause 
XCause > 0 (5) 


Lemma 7. Under assumptions (A1)-(A3), the set Cause is not a GPR cause for Eff in 
M iff the constructed quadratic system of inequalities (1)-(5) has a solution. 


Proof of Theorem 4. The existence of a solution to the quadratic system of inequalities 
(Lemma 7) can straight-forwardly be formulated as a sentence in the language of the 
existential theory of the reals. The system of inequalities can be constructed from M, 
Cause, and Eff in polynomial time. Its solvability is decidable in polynomial space as 
the decision problem of the existential theory of the reals is in PSPACE [13]. 
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Memory requirements of schedulers in the original MDP (Proof of Theorem 5). 
As stated above, every solution to the linear system of inequalities (1), (2), and (3) 
corresponds to expected frequencies of state-action pairs of an MR-scheduler in the 
transformed model satisfying (A1)-(A3). Hence: 


Corollary 1. Under assumptions (A1)-(A3), Cause is no GPR cause for Eff iff there 
exists an MR-scheduler & with Pri, (Cause) > 0 violating the GPR condition. 


The model transformation we used for assumptions (A1)-(A3), however, does affect 
the memory requirements of schedulers. We may further restrict the MR-schedulers 
necessary to witness non-causality under assumptions (A1)-(A3). For the following 
lemma, recall that t is the action of the MEC quotient used for the extra transition 
from states representing MECs to a new trap state (see also assumption (A3)). 


Lemma 8. Assume (A1)-(A3). Given an MR-scheduler $4 with Priv. (Cause) > 0 that 
violates (GPR), an MR-scheduler Z with Z(s) (T) € {0, 1} for each state s with t € Act(s) 
that satifies leer (Cause) > 0 and violates (GPR) is computable in polynomial time. 


The condition that t only has to be scheduled with probability O or 1 in each state 
is the key to transfer the sufficiency of MR-schedulers to the MDP Mycause). This fact 
is of general interest as well and stated in the following theorem where t again is the 
action added to move from a state s¢ to the new trap state in the MEC-quotient. 


Theorem 6. Let M be an MDP with pairwise disjoint action sets for all states. Then, 
for each MR-scheduler © for the MEC-quotient of M with G(s¢)(t) € {0,1} for each 
MEC € of M there is an MR-scheduler Z for M such that every action x of M that does 
not belong to an MEC of M, has the same expected frequency under © and F. 


Proof sketch. The crux are cases where G(s¢)(tT) =0, which requires to traverse the 
MEC € of M in a memoryless way such that all actions leaving € have the same ex- 
pected frequency under TẸ and G. First, we construct a finite-memory scheduler 7’ that 
always leaves each such end component according to the distribution given by G(s¢). 
By [23, Theorem 9.16], we then conclude that there is an MR-scheduler & under which 
the expected frequencies of all state-action pairs are the same as under F’. 


Proof of Theorem 5. The model transformation establishing assumptions (A1)-(A3) re- 
sults in the MEC-quotient of M [Cause] Up to the renaming and collapsing of terminal 
states. By Corollary 1 and Theorem 6, we conclude that Cause is not a GPR cause for 
Eff in M iff there is a MR-scheduler G for Micayse} with Pr Scans (Cause) > 0 that 


violates (GPR). As in Remark 5, G can be extended to a finite-memory randomized 
scheduler T for M with two memory cells. 


Remark 6 (On lower bounds on GPR checking). Solving systems of quadratic inequal- 
ities with linear side constraints is NP-hard in general (see, e.g., [20]). For convex prob- 
lems, in which the associated symmetric matrix in the quadratic inequality has only 
non-negative eigenvalues, the problem is, however, solvable in polynomial time [26]. 
Unfortunately, the quadratic constraint system given by (1)-(5) is not of this form. Even 
if Cause is a singleton {c} and the variable x¢gf,,, is forced to take a constant value y by 
(1)-(@), i.e., by the structure of the MDP, the inequality (4) takes the form: 


52 Baier et al. 


Xe*We —x2-(Wet+y) <0 (*) 


Here, the 1 x 1-matrix (—w-—y) has a negative eigenvalue. Although it is not ruled 
out that (1)-(5) belongs to another class of efficiently solvable constraint systems, the 
NP-hardness result in [33] for the solvability of quadratic inequalities of the form (*) 
with linear side constraints might be an indication for the computational difficulty. < 


5 Quality and optimality of causes 


The goal of this section is to identify notions that measure how “good” causes are and to 
present algorithms to determine good causes according to proposed quality measures. 
We have seen so far that small (singleton) causes are easy to determine (see Section 
4.1). Moreover, it is easy to see that the proposed existence-checking algorithm can be 
transformed such that it returns a singleton (strict or global) probability-raising cause 
{co} with maximal precision, i.e., a state cg where infe Pre, (QEfflOco) = Prt cy (OEff) 
is maximal. On the other hand, singleton or small cause sets might have poor coverage 
in the sense that the probability of paths which reach an effect state without visiting a 
cause state before (“uncovered effects”) can be large. This motivates the consideration 
of quality notions for causes that incorporate how well effect scenarios are covered. 
We take inspiration of quality measures that are considered in statistical analysis (see 
e.g. [36]). This includes the recall as a measure for the relative coverage (proportion 
of covered effects among all effect scenarios), the coverage ratio (quotient of covered 
and uncovered effects) as well as the f-score. The f-score is a standard measure for 
classifiers defined by the harmonic mean of precision and recall. It can be seen as a 
compromise to achieve both good precision and good recall. 

Throughout this section, we assume as before an MDP M = (S,Act,P, init) and a 
set Eff C S are given where all effect states are terminal. Furthermore, we suppose that 
all states s € S are reachable from init. 


5.1 Quality measures for causes 


In statistical analysis, the precision of a classifier with binary outcomes (“positive” or 
“negative”) is defined as the ratio of all true positives among all positively classified 
elements, while its recall is defined as the ratio of all true positives among all actual 
positive elements. Translated to our setting, we consider classifiers induced by a given 
cause set Cause that return “positive” for sample paths in case that a cause state is visited 
and “negative” otherwise. The intuitive meaning of true positives and false negatives is 
as explained after Definition 1. The meaning of true negatives and false positives is 
analogous. We use tp© for the probability for true positives under ©. The notations 
fp©, fn©, tn© have analogous meanings. 

With this interpretation of causes as binary classifiers in mind, the recall and preci- 
sion and coverage ratio of a cause set Cause under a scheduler © is defined as follows 
(assuming Pre, (OEff) > 0 resp. Pee, (Cause) > 0 resp. Pee. ((-Ca use) U Eff) > 0): 


precision (Cause) = Pr& ( QEff | OCause ) = une 


recall© (Cause) = Pr9.( (Cause | OEff ) tp 


E tp& +fnS 


On probability-raising causality in Markov decision processes 53 


PrSj, (0(Cause ^ OEff)) — tŠ 
Pr ((~Cause) U Eff) fS’ 

For the coverage ratio, if Pi ((=Cause) U Eff) = 0 and Pr&. (Cause) > 0 we define 
covrat© (Cause) = +oo. Finally, the f-score of Cause under a scheduler © is defined 


as the harmonic mean of the precision and recall (assuming Pre (Cause) > 0, which 
implies Pr9, (Eff) > 0 as Cause is a PR cause): 


S 


covrat© (Cause) = 


det precision® (Cause) - recall© (Cause) 


fscore® (Cause) 2 


precision® (Cause) + recall© (Cause) 


If, however, Pr. (OEff) > 0 and Pr&. (Cause) = 0 we define fscore© (Cause) = 0. 


Quality measures for cause sets. Let Cause be a PR cause. The recall of Cause mea- 
sures the relative coverage in terms of the worst-case conditional probability for covered 
effects (true positives) among all scenarios where the effect occurs. 


recall(Cause) = infe recall© (Cause) = Prmin( Cause | OEff ) 


when ranging over all schedulers G with Pre (OEff) > 0. Likewise, the coverage ratio 
and f-score of Cause are defined by the worst-case coverage ratio resp. f-score (when 
ranging over schedulers for which covrat© (Cause) resp. fscore© (Cause) is defined): 

S( 


covrat(Cause) = infe covrat©(Cause), fscore(Cause) = infe fscore® (Cause) 


5.2 Computation schemes for the quality measures for fixed cause set 


For this section, we assume a fixed PR cause Cause is given and address the problem 
to compute its quality values. Since all quality measures are preserved by the switch 
from M to Micause] as well as the transformations of M [Cause] to an MDP that satisfies 
conditions (A1)-(A3) of Section 4.2, we may assume that M satisfies (A1)-(A3). 

While efficient computation methods for recall(Cause) are known from literature 
(see [10,31] for poly-time algorithms to compute conditional reachability probabilities), 
we are not aware of known concepts that are applicable for computing the coverage ratio 
or the f-score. Indeed, both are efficiently computable: 


Theorem 7. The values covrat(Cause) and fscore(Cause) and corresponding worst- 
case schedulers are computable in polynomial time. 


By definition, the value covrat(Cause) is the infimum over a quotient of reachability 
probabilities for disjoint sets of terminal states. While this is not the case for the f-score, 
we can express fscore(Cause) in terms of the supremum of such a quotient. More pre- 
cisely, under assumptions (A1)-(A3) and assuming fscore(Cause) > 0, we have: 

Pr. (Qnoeff fy )+Pr&, (Oeffunc) 
Pr&. (Qeffcov) 


fscore(Cause) = x where X = supe 


where G ranges over all schedulers with Pr. (Oeffcov) > 0. Furthermore, we have 
fscore(Cause) = 0 if and only if recall(Cause) = 0 if and only if there exists a scheduler 
6 satisfying Pr. (OEff) > 0 and Pr. (Cause) =0. 

So, the remaining task to prove Theorem 7 is a generally applicable technique for 
computing extremal ratios of reachability probabilities in MDPs without ECs. 
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Max/min ratios of reachability probabilities for disjoint sets of terminal states. 
Suppose we are given an MDP M = (S,Act,P, init) without ECs and disjoint subsets 
U, V C S of terminal states. Given a scheduler © with Pro (OV) > 0 we define: 


ratio (U,V) = Pr9.(OU) /Pr$ (OV) 


The goal is to compute the extremal values: ratio® (U, V) = infe ratio (U,V) and 
ratio (U, V) = supe ratioS (U,V) where G ranges over all schedulers such that 
Pr&.(OV) > 0. For their computation, we rely on a polynomial reduction to the classi- 
cal stochastic shortest path problem [12]. For this, consider the MDP XN arising from 
M by adding reset transitions from all terminal states t € S\V to init. Thus, exactly the 
V-states are terminal in N. The MDP N might contain ECs, which, however, do not in- 
tersect with V. We equip N with the weight function that assigns 1 to all states in U and 
0 to all other states. For a scheduler Z with Pri-(OV) = 1, let Bel V) be the expected 
accumulated weight until reaching V under T. Let EX” (HV) = inf EX,( V) and 
EX (HV) = sup ER, ( V), where Ẹ ranges over all schedulers with Pr% (OV) =]; 
We can rely on known results [12,3,4] to obtain that both EX” (HV) and EX?*(HIV) 
are computable in polynomial time. As N has only non-negative weights, E}'" (HV) 
is finite and a corresponding MD-scheduler with minimal expectation exists. If N has 
an EC containing at least one U-state, which is the case iff M has a scheduler G with 
Pr (OU) > 0 and Pr9$;(OV) =0, then EX* (HV) = +00. Otherwise, EX (EV) is fi- 
nite and the maximum is achieved by an MD-scheduler as well. 


Theorem 8. Let M be an MDP without ECs and U, V disjoint sets of terminal states in 
M, and let N be the constructed MDP as above. Then, ratio (U, V) = EX" (HAV) and 


ratio (U, V) = EX“ (ŒV). Thus, both values are computable in polynomial time, and 


there is an MD-scheduler minimizing ratios. (U, V), and an MD-scheduler maximizing 
ratio% (U,V) if ratio? (U, V) is finite. 


Proof of Theorem 7. Using assumptions (A1)-(A3), we obtain that covrat(Cause) = 
ratio! (U, V) where U = {effcov}, V = {effunc}. Similarly, with U = {noefftp, effunc}, 
V = {effcov}, we get fscore(Cause) = 0 if ratio} (U, V) = +00 and fscore(Cause) = 
2/(ratioNe* (U, V) +2) otherwise. Thus, the claim follows from Theorem 8. 


5.3 Quality-optimal probability-raising causes 


An SPR cause Cause is called recall-optimal if recall( Cause) = maxc recall(C) where 
C ranges over all SPR causes. Likewise, ratio-optimality resp. f-score-optimality of 
Cause means maximality of covrat(Cause) resp. fscore(Cause) among all SPR causes. 
Recall-, ratio- and f-score-optimality for GPR causes are defined accordingly. 


Lemma 9. Let Cause be an SPR or a GPR cause. Then, Cause is recall-optimal if and 
only if Cause is ratio-optimal. 


Recall- and ratio-optimal SPR causes. The techniques of Section 4.1 yield an algo- 
rithm for generating a canonical SPR cause with optimal recall and ratio. To see this, 
let € denote the set of states that constitute a singleton SPR cause. The canonical cause 
CanCause is defined as the set of states c € © such that there is a scheduler © with 
Pro ((=C) Uc) > 0. Obviously, € and CanCause are computable in polynomial time. 
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Theorem 9. If C 4 Ø then CanCause is a ratio- and recall-optimal SPR cause. 


This is not true for the f-score. To see this, Con- 1/4 
sider the Markov chain on the right hand side. We have (init) 
CanCause = {sj}, which has precision(CanCause) = 3 and 1/4 1/2 
recall(CanCause) = 3/4 + 3) = 2. But the SPR cause 
{s2} has better f-score as its precision is 1 and it has the 174 3/4 
same recall as CanCause. 


F-score-optimal SPR cause. From Section 5.2, we see that f-score-optimal SPR causes 
in MDPs can be computed in polynomial space by computing the f-score for all poten- 
tial SPR causes one by one in polynomial time (Theorem 7). As the space can be reused 
after each computation, this results in polynomial space. For Markov chains, we can do 
better and compute an f-score-optimal SPR cause in polynomial time via a polynomial 
reduction to the stochastic shortest path problem: 


Theorem 10. In Markov chains that have SPR causes, an f-score-optimal SPR cause 
can be computed in polynomial time. 


Proof. We regard the given Markov chain M as an MDP with a singleton action set 
Act ={a}. As M has SPR causes, the set C of states that constitute a singleton SPR cause 
is nonempty. We may assume that MM has no non-trivial (i.e., cyclic) bottom strongly 
connected components as we may collapse them. Let we = Prv, e (QEff). We switch 
from M to a new MDP X with state space Sx = S Ufeffcoy, noeffy,} with fresh states 
effcoy and noeffs, and the action set Actx = {a,y}. The MDP K arises from M by 
adding (i) for each state c € C a fresh state-action pair (c, y) with P(c, Yy, effcoy) = We 
and Px (c, Yy, noeffs,) = 1—we and (ii) reset transitions to init with action label œ from 
the new state noeffs, and all terminal states of M, i.e., Px (noeffs,, x, init) = 1 and 
Px(s,a,init) = 1 for s € Eff or if s is a terminal non-effect state of M. So, exactly 
effeoy is terminal in K, and Actx(c) = {a,y} for c € C, while Acta (s) = {cx} for all 
other states s. Intuitively, taking action y in state c € € selects c to be a cause state. The 
states in Eff represent uncovered effects in K, while eff.o, stands for covered effects. 
We assign weight | to all states in U = Eff U{noeff;,} and weight 0 to all other states 
of K. Let V = {eff coy}. Then, f = EX"(HIV) and an MD-scheduler G for K such that 
ES ( V) =f are computable in polynomial time. Let Cy denote the set of states c € C 
where G(c) = y and let Cause be the set of states c € Cy where M has a path satisfying 
(~€y)Uc. Then, Cause is an SPR cause of M. With arguments as in Section 5.2 we 
obtain fscore(Cause) = 2/(f+2). It remains to show that Cause is f-score-optimal. Let 
C be an arbitrary SPR cause. Then, C C €. Let T be the MD-scheduler for K that 
schedules y in C and « for all other states of K. Then, fscore(C) = 2/(f*+2) where 
f? = Ex (HV). Hence, f < f*, which yields fscore(Cause) > fscore(C). 


The naive adaption of the construction presented in the proof of Theorem 10 for 
MDPs would yield a stochastic game structure where the objective of one player is 
to minimize the expected accumulated weight until reaching a target state. Although 
algorithms for stochastic shortest path (SSP) games are known [34], they rely on as- 
sumptions on the game structure which would not be satisfied here. However, for the 
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threshold problem SPR-f-score where inputs are an MDP M, Eff and Ò € Q>o and the 
task is to decide the existence of an SPR cause whose f-score exceeds 6, we can estab- 
lish a polynomial reduction to SSP games, which yields an NP N coNP upper bound: 


Theorem 11. The decision problem SPR-f-score is in NPM coNP. 


Proof sketch. Given an MDP M, an effect set Eff, and 8 € Q, we construct an SSP 
game [34] after a series of model transformations ensuring (i) that terminal states are 
reached almost surely and (ii) that Eff is reached with positive probability under all 
schedulers. Condition (i) is established by a standard MEC-quotient construction. To 
establish condition (ii), we provide a construction that forces schedulers to leave an 
initial sub-MDP in which the minimal probability to reach Eff is 0. This construction — 
unlike the MEC-quotient — affects the possible combinations of probability values with 
which terminal states and potential cause states can be reached, but the existence of an 
SPR cause satisfying the f-score-threshold condition is not affected. 

The underlying idea of the construction of the game shares similarities with the 
MDP constructed in the proof of Theorem 10: Player 0 takes the role to select potential 
cause states while player 1 takes the role of a scheduler in the transformed MDP. Using 
the observation that for each cause C, fscore(C) > 0 iff 

2(1—0)PrS (OC A OEff) — PrE (OC A OEff) —8PrS (OC A-OEff) >0 (x) 
for all schedulers G for M with Pr (Eff) > 0, weights are assigned to Eff-states 
and other terminal states depending on whether player O has chosen to include a state 
to the cause beforehand. In the resulting SSP game, both players have optimal MD- 
strategies [34]. Given such strategies ¢ for player 0 and G for player 1, the resulting 
expected accumulated weight agrees with the left-hand side of (x) when considering 
G as a scheduler for the transformed MDP and the cause C induced by the states that 
Č chooses to belong to the cause. Thus, player O wins the constructed game iff an SPR 
cause with f-score above the threshold 9 exists. The existence of optimal MD-strategies 
for both players allows us to decide this threshold problem in NP and coNP. 


Optimality and threshold constraints for GPR causes. Computing optimal GPR 
causes for either quality measure can be done in polynomial space by considering all 
cause candidates, checking the GPR condition in polynomial space (Theorem 4) and 
computing the corresponding quality measure in polynomial time (Section 5.2). How- 
ever, we show that no polynomial-time algorithms can be expected as the corresponding 
threshold problems are NP-hard. Let GPR-covratio (resp. GPR-recall, GPR-f-score) de- 
note the decision problems: Given M, Eff and 8 € Q, decide whether there exists a GPR 
cause with coverage ratio (resp. recall, f-score) at least 9. 


Theorem 12. The problems GPR-covratio, GPR-recall and GPR-f-score are NP-hard 
and belong to PSPACE. For Markov chains, all three problems are NP-complete. NP- 
hardness even holds for tree-like Markov chains. 


Proof sketch. NP-hardness is established via a polynomial reduction from the knap- 
sack problem. Membership to NP for Markov chains resp. to PSPACE = NPSPACE 
for MDPs is obvious as we can guess nondeterministically a cause candidate and then 
check (i) the GPR condition in polynomial time (Markov chains) resp. polynomial space 
(MDPs) and (ii) the threshold condition in polynomial time (see Section 5.2). 
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6 Conclusion 


The goal of the paper was to formalize the probability-raising principle in MDPs and 
related quality notions for PR causes as well as studying fundamental algorithmic prob- 
lems for them. We considered the strict (local) and the global view. Our results indicate 
that GPR causes are more general and leave more flexibility to achieve better accuracy, 
while algorithmic reasoning about SPR causes is simpler. 

Existential definition of SPR/GPR causes. The proposed definition of PR causes relies 
on a universal quantification over all relevant schedulers. However, another approach 
could be via existential quantification, i.e. there is a scheduler © such that (GPR) or 
resp. (SPR) hold. The resulting notion of causality yields fairly the same results (up to 
Prit c (OEff) instead of Prai (Eff) etc). A canonical existential SPR cause can be de- 
fined in analogy to the universal case and shown to be recall- and ratio-optimal (cf. The- 
orem 9). The problem to find an existential f-score-optimal SPR cause is even simpler 
and solvable in polynomial time as the construction presented in the proof of Theorem 
10 can be adapted for MDPs (thanks to the simpler nature of maxc supe fscore® (C) 
compared to maxc infe fscore® (C)). However, NP-hardness for the existence of GPR 
causes with threshold constraints for the quality carries over to the existential definition 
(as NP-hardness holds for Markov chains, Theorem 12). 

Non-strict inequality in the PR conditions. Our notions of PR causes are in line with the 
classical approach of probability-raising causality in literature with strict inequality in 
the PR condition. This has the consequence that causes might not exist (see Example 
2). The switch to a relaxed definition of PR causes with non-strict inequality seems to 
be a minor change that identifies more sets as causes. Indeed, the proposed algorithms 
for checking the SPR and GPR condition (Section 4) can easily be modified for the 
relaxed definition. While this leads to a questionable notion of causality (e.g., {init} 
would always be a recall- and ratio-optimal SPR cause under the relaxed definition), it 
could be useful in combination with other side constraints. E.g., requiring the relaxed 
PR condition for all schedulers which reach a cause state with positive probability and 
requiring the existence of a scheduler where the PR condition with strict inequality 
holds might be a useful alternative definition that agrees with Def. 1 for Markov chains. 
Relaxing the minimality condition (M). As many causality notions of the literature in- 
clude some minimality constraint, we included condition (M). However, (M) could be 
dropped without affecting the algorithmic results presented here. This can be useful 
when the task is to identify components or agents that are responsible for the occur- 
rences of undesired effects. In these cases the cause candidates are fixed (e.g., for each 
agent 1, the set of states controlled by agent 1), but some of them might violate (M). 


Future directions include PR causality when causes and effects are path properties 
and the investigation of other quality measures for PR causes inspired by other in- 
dices for binary classifiers used in machine learning or customized for applications of 
cause-effect reasoning in MDPs. More sophisticated notions of probabilistic backward 
causality and considerations on PR causality with external interventions as in Pearl’s 
do-calculus [35] are left for future work. 
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Abstract. Reconfigurable broadcast networks (RBN) are a model of 
distributed computation in which agents can broadcast messages to other 
agents using some underlying communication topology which can change 
arbitrarily over the course of executions. In this paper, we conduct pa- 
rameterized analysis of RBN. We consider cubes, (infinite) sets of config- 
urations in the form of lower and upper bounds on the number of agents 
in each state, and we show that we can evaluate boolean combinations 
over cubes and reachability sets of cubes in PSPACE. In particular, reach- 
ability from a cube to another cube is a PSPACE-complete problem. 

To prove the upper bound for this parameterized analysis, we prove some 
structural properties about the reachability sets and the symbolic graph 
abstraction of RBN, which might be of independent interest. We justify 
this claim by providing two applications of these results. First, we show 
that the almost-sure coverability problem is PSPACE-complete for RBN, 
thereby closing a complexity gap from a previous paper [3]. Second, we 
define a computation model using RBN, à la population protocols, called 
RBN protocols. We characterize precisely the set of predicates that can 
be computed by such protocols. 


Keywords: Broadcast networks - Parameterized reachability - Almost- 
sure coverability - Asynchronous shared-memory systems 


1 Introduction 


Reconfigurable broadcast networks (RBN) [8,10] are a formalism for modelling 
distributed systems in which a set of anonymous, finite-state agents execute the 
same underlying protocol and broadcast messages to their neighbors according to 
an underlying communication topology. The communication topology is reconfig- 
urable, meaning that the set of neighbors of an agent can change arbitrarily over 
the course of an execution. Parameterized verification of these networks concerns 
itself with proving that a given property is correct, irrespective of the number 
of participating agents. Dually, it can be viewed as the problem of finding an 
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execution of some number of agents which violates a given property. Ever since 
their introduction within this context [10], RBN have been studied extensively, 
with various results on (parameterized) reachability and coverability [8,10,3,7], 
along with various extensions using probabilities and clocks [5,4]. 

In this paper, we first consider the cube-reachability problem for RBN, in 
which we are given two (possibly infinite) sets of configurations C and C’ (called 
cubes), each of them defined by lower and upper bounds on the number of agents 
in each state, and we must decide if there is a configuration in C which can reach 
some configuration in C’. The cube-reachability question covers parameterized 
reachability and coverability problems, and as explained in [3], also covers the 
parameterized reachability problem for a generalized model of RBN called RBN 
with leaders. Moreover, a sub-problem of cube-reachability has already been 
studied for RBN in [8]. The authors show that this sub-problem is PSPACE- 
complete. One of the results in our paper is that the entire cube-reachability 
problem is PSPACE-complete, hence extending the sub-problem considered in [8], 
while still retaining the same complexity upper bound. 

In fact, our main result, which we call the PSPACE Theorem, is a more 
general result. It subsumes the above result for cube-reachability and allows for 
more complex parameterized analysis of RBN. The PSPACE Theorem roughly 
states that any boolean combination of atoms can be evaluated in PSPACE, 
where an atom is a finite union of cubes or the reachability set of a finite union 
of cubes (i.e. post* or pre*). To prove the PSPACE Theorem, we first consider 
the so called symbolic graph of a RBN ([8], Section 5). We prove some structural 
properties about these graphs, using results from [8]. Next, using these structural 
properties, we show that the set of reachable configurations of a cube C can be 
expressed as a finite union of cubes, each having a norm exponentially bounded 
in the size of the given RBN and C. This result then allows us to give an on-the-fly 
exploration algorithm for proving the PSPACE Theorem. 

We believe that the PSPACE Theorem and the results leading to it that 
we have proven in this paper have further applications to problems concerning 
RBN. To justify this claim, we provide two applications. First, we show that the 
almost-sure coverability problem for RBN is PSPACE-complete, thereby closing 
a complexity gap from a previous paper ([3], Section 5.3). Second, we define a 
computation model using RBN, called RBN protocols, which is similar in spirit 
to the population protocols model [1,2]. We characterize precisely the set of 
predicates that can be computed using RBN protocols. This result generalizes 
the corresponding result for IO protocols, which are a sub-class of population 
protocols that can be simulated by RBN protocols, as shown in ([3], Section 6.2). 


Finally, by the reduction given in ([3], Section 4.2), our results on cube- 
reachability and almost-sure coverability can be transferred to another model of 
distributed computation called asynchronous shared memory systems (ASMS), 
giving a PSPACE-completeness result for both of these problems. This solves an 
open problem from ([6], Section 6). 

To summarize, we have shown that many important parameterized problems 
of RBN can be solved in PSPACE, that the sub-problem of the cube-reachability 
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problem defined in [8] can be generalized while retaining the same upper bounds, 
and that the almost-sure coverability problems for RBN and ASMS are PSPACE- 
complete, thereby solving open problems from [3,6]. We believe that our other 
results might be of independent interest, and we provide an application by in- 
troducing RBN protocols and characterizing the set of predicates that they can 
compute. 

The paper is organized as follows. Section 2 contains preliminaries, including 
the definition of RBN. Section 3 defines the symbolic graph of a RBN, and proves 
the properties of this graph needed to derive our main result. Section 4 contains 
the main result that a host of parameterized problems over cubes, including 
cube-reachability, is PSPACE-complete for RBN. Finally, Sections 5 and 6 give 
applications of our main results: Section 5 solves the complexity gap for the 
almost-sure coverability problem, and Section 6 introduces RBN protocols and 
characterizes their expressive power. Due to lack of space, full proofs of some of 
the results can be found in the long version. 


2 Preliminaries 


The definitions and notations in this section are taken from [3]. 


2.1 Multisets 


A multiset on a finite set E is a mapping C: E > N, ie. for any e € E, 
C(e) denotes the number of occurrences of element e in C. We let M(E) denote 
the set of all multisets on E. Let le1,...,en5 denote the multiset C such that 
C(e) = |{7 | e; = e}|. We sometimes write multisets using set-like notation. 
For example, (2 - a,bĵ and (a,a,b} denote the same multiset. Given e € E, 
we denote by e the multiset consisting of one occurrence of element e, that is 
de}. Operations on N like addition or comparison are extended to multisets by 
defining them component wise on each element of E. Subtraction is allowed as 
long as each component stays non-negative. We call |C| = S ecg Cle) the size 
of C. 


2.2 Reconfigurable Broadcast Networks 


Reconfigurable broadcast networks (RBN) are networks consisting of finite-state, 
anonymous agents and a communication topology which specifies for every pair 
of processes, whether or not there is a communication link between them. Dur- 
ing a single step, a single agent can broadcast a message which is received by 
all of its neighbors, after which both the agent and its neighbors change their 
state according to some transition relation. Further, in between two steps, the 
communication topology can change in an arbitrary manner. For the problems 
that we consider in this paper, it is easier to forget the communication topology 
and define the semantics of an RBN directly in terms of collections of agents. 
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Definition 1. A reconfigurable broadcast network is a tuple R = (Q, 2,6) 
where Q is a finite set of states, X is a finite alphabet and ô C Qx{la,?a | a E€ X}x 
Q is the transition relation. 


If (p,!a,q) (resp. (p,?a,q)) is a transition in 6, we will denote it by p a q 


(resp. p ELN q). A configuration C of a RBN R is a multiset over Q, which 
intuitively counts the number of processes in each state. Given a letter a € X 
and two configurations C and C’ we say that there is a step C & C’ if there exists 
a multiset (t,t,,...,t,)§ of ô for some k > 0 satisfying the following: t = p = q, 


each t; = pi ELN qi, C > p +}; pi, and C = C — p — J}; pi +q +}; qi. We 
sometimes write this as C 4f», © or C 5 œ. Intuitively it means that a 
process at the state p broadcasts the message a and moves to q, and for each 
1 < i < k, there is a process at the state p; which receives this message and 
moves to g;. We denote by Ž the reflexive and transitive closure of the step 


relation. A run is then a sequence of steps. 


la 
? 


a 
OY O*® 


lb 
Fig. 1. An RBN R with three states. 


Let R = (Q, X, ô) be an RBN. Given configurations C and C’, we say C” is 

reachable from C if C Ž C’. We say C’ is coverable from C if there exists C” 
such that C “> C” and C” > C’. The reachability problem consists of deciding, 
given a RBN R and configurations C,C’, whether C” is reachable from C in R. 
The coverability problem consists of deciding, given a RBN R and configurations 
C,C", whether C” is coverable from C in R. Let S be a set of configurations. 
The predecessor set of S is pre*(S) = {C'|AC € S.C’ Š C}, and the successor 
set of S is post*(S) = {CIC € S.C’ 5 C}. 
Example 1. Figure 1 illustrates a RBN R = (Q, 2,6) with Q = {m,@, 4s}. 
Configuration (3-q,)5 can reach (2-q1, q3) in two steps. First, a process broadcasts 
a, the two other processes receive it and move to q2. Then, one of the processes 
in q2 broadcasts b and moves to qi, while the other one receives b and moves to 
q3. Notice that {q3 is only coverable from a configuration (k- q 5 if k > 3. 


2.3 Cubes and Counting Sets 


Given a finite set Q, a cube C is a subset of M(Q) described by a lower bound 
L: Q — N and an upper bound U: Q + NU {co} such that C={C:L<C< 
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U}. Abusing notation, we identify the set C with the pair (L,U). Notice that 
since U(q) can be oo for some state q, a cube can contain an infinite number of 
configurations. All the results in this paper are true irrespective of whether the 
constants in a given input cube are encoded in unary or binary. 

A finite union of cubes Ui", (Li, Ui) is called a counting constraint and the 
set of configurations Ua C; it describes is called a counting set. Notice that two 
different counting constraints may describe the same counting set. For example, 
let Q = {q} and let (L, U) = (1,3), (L£’,U’) = (2,4), (£”,U”) = (1,4). The 
counting constraints (L,U)U(L’,U’) and (L”, U”) define the same counting set. 
It is easy to show (see also Proposition 2 of [11]) that counting constraints and 
counting sets are closed under Boolean operations. 


Norms. Let C = (L,U) be a cube. Let ||C||; be the the sum of the components 
of L. Let ||C||,, be the sum of the finite components of U if there are any, and 0 
otherwise. The norm of C is the maximum of ||C||; and ||C||,,, denoted by ||C||. We 


define the norm of a counting constraint T = UJ", C; as |||] = max Le: 
1€[1,m 


The norm of a counting set S is the smallest norm of a counting constraint 


representing S, that is, ||S|| = in ale Proposition 5 of [11] entails the 
=|" 
following results for the norms of the union, intersection and complement. 


Proposition 1. Let S,,S_ be counting sets. The norms of the union, inter- 
section and complement satisfy: ||S1 U S2l| < max{||S1]], ||S2l|}, [S1 Seal] < 
I|Sa|| + ||S2l], and [Sil] < |Q] - lS: +1Ql. 


Reachability. The reachability problem can be generalized to the cube-reachability 
problem which consists of deciding, given an RBN R and two cubes C,C’, whether 
there exists configurations C € C and C” € C’ such that C” is reachable from C in 
R. If this is the case, we say C’ is reachable from C. The counting set-reachability 
problem asks, given an RBN R and two counting sets S,S’, whether there ex- 
ists cubes C € S and C’ € S’ such that C’ is reachable from C in R. We define 
cube-coverability and counting set-coverability in an analoguous way. 


Remark 1. In the paper [8], the authors define a sub-class of the cube-reachability 
problem, which is called the unbounded initial cube-reachability problem in [3]. 
More precisely, the sub-class considered in [8] is the following: We are given an 
RBN and two cubes C = (L,U) and C’ = (L’,U") with the special property 
that L(q) = 0 and U(q) € {0,00} for every state q. We then have to decide if 
C can reach C’. This problem was shown to be PSPACE-complete ([8], Theorem 
5.5), whenever the numbers in the input are given in unary. As we shall show 
later in this paper, the cube-reachability problem itself is in PSPACE, even when 
the input numbers are encoded in binary, thereby generalizing the upper bound 
results given in that paper. 


66 A. R. Balasubramanian, L. Guillou, C. Weil-Kennedy 
3 Reachability sets of counting sets 


In this section, we set the stage for proving the main result of this paper. This 
main result is given in two stages: First, we show that given a RBN with state set 
Q and a counting set S, the set post*(S) is also a counting set and || post*(S)|| < 
Qp(llSll21) where p is some fixed polynomial. Using this, we then prove that a 
host of cube-parameterized problems for RBN can be solved in PSPACE. 

The rest of this section is organized as follows: To prove the first result, we 
recall the notion of a symbolic graph of a RBN from [8]. In the symbolic graph, 
each node is a symbolic configuration of the RBN, which intuitively represents 
an infinite set of configurations in which the number of agents is fixed in some 
states, and arbitrarily big in the others. Next, by exploiting the special structure 
of the symbolic graph, we prove some properties which allow us to show that 
whenever two nodes in this graph are reachable, they are reachable by a path 
having a special structure. Finally, using these properties and the connection 
between symbolic configurations and configurations of the RBN, we prove the 
desired first result. Once we have shown the first result, we then show how the 
PSPACE Theorem can be obtained from it. 

Throughout this section, we fix an RBN R = (Q, X, ô). 


3.1 Symbolic graph 


In this subsection, we recall the notion of a symbolic graph of an RBN from [8]. 
Here, for the sake of convenience, we define it in a slightly different way, but the 
underlying notion is the same as [8]. Throughout this subsection and the next, 
we fix a number k € N. 

The symbolic graph of index k associated with the RBN R is an edge-labelled 
graph Gk = (N, E, L) where N = M;(Q) x 22 is the set of nodes. Here M;,(Q) 
denotes the set of multisets on Q of size at most k. E is the set of edges and 
L: E —> X is the labelling function. Each node of G; is also called a symbolic 
configuration. Intuitively, in each symbolic configuration (v, S), the multiset v 
(called the concrete part) is used to keep track of a fixed set of at most k agents, 
and the subset S (called the abstract part) is used to keep track of the support 
of the remaining agents. 

Let 0 = (v, S) and 0’ = (v',S’) be two symbolic configurations. There is 
an edge labelled by a between @ and 6’ if and only if the following is satisfied: 
There exists a transition (q,!a,q’) € 6 such that at least one of the following two 
conditions holds 


— (Broadcast from v) There exists a multiset of transitions ((p,,?a,p1),.--, 
(pi, 2a, p;)§ such that v’ = v — >, pi + X; p; —@ +’, and for each q, € Q: 
e If q; € S’ \ S then there exists q, € S and (q},?a, qs) E€ R, 
o If q; € S\S" then there exists q, € S’ and (qs, ?a,q¢,) € R. 
— (Broadcast from S) There exists a multiset of transitions ((p1,?a,p{),.--, 
(pi, ?a,p})§ such that v’ = v — }; pi + X; pi, q E€ S,q' E€ S’, and for each 
qs E Q \ {gg}: 
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e if qs E€ S’\ S then there exists q € S and (q/,?a,qs) € R, 
e if qs E S\ S’ then there exists q € S and (qs, ?a,q,) € R. 


An edge labelled by a between @ and 6” is denoted by 6 +, 6’. The relation 
~9¢, is the reflexive and transitive closure of ~>g,:= Uaes ~g,- Whenever the 


index k is clear, we will drop the subscript G, from these notations. 


Remark 2. Let 6 = (v, S),0’ = (v', S") be two symbolic configurations. By con- 
struction, 0 can only reach 6” if |v| = |v’|. 


To give an intuition behind the edges in G,, recall the intuition that in a 
symbolic configuration, the concrete part is used to keep track of a fixed set of 
at most k processes and the abstract part is used to keep track of the support of 
the remaining processes. The first condition for the existence of an edge asserts 
the following: 1) In the concrete part, some process broadcasts the message a and 
some subset of processes receive a, 2) In the abstract part, any new state added 
or any old state deleted comes because of receiving a. The second condition 
asserts exactly the same, except we now require the process broadcasting the 
message a to be from the abstract part. 

The symbolic graph of index k can be thought of as an abstraction of the 
set of configurations of R, where only a fixed number of processes are explicitly 
represented and the rest are abstracted by means of their support alone. To 
formalize this, given a symbolic configuration 0 = (v, S), we let [6] denote the 
following (infinite) set of configurations: C € [@] if and only if C(q) = v(q) for 
q ¢ S and C(q) > v(q) for q € S. 


Fig. 2. Symbolic graph Go of index 0 of the RBN of Example 1. 


Example 2. The symbolic graph Go of index 0 of the RBN of Example 1 is 
illustrated in Figure 2. At this index, the graph only keeps track of a subset 
S C Q, and the edges correspond to broadcasts from S. Consider the edges from 
{qi}. The self-loop corresponds to a broadcast of a that is not received. The 
edge to {q1, q2} corresponds to a broadcast of a received by at least one process 
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in qı. There is no edge from {q3} because there is no broadcast transition from 
q3. 


We then have the following lemma, which asserts that runs between two 
configurations in an RBN induce corresponding runs in the symbolic graph. The 
proof of the lemma is easily obtained from the definition of the symbolic graph. 


Lemma 1. Let C,C’ be two configurations of R such that C & C’. Then, for 
every 0 such that C € [0], there exists 6’ such that C’ € [O'] and 0 ~° 6’. 


3.2 Properties of the symbolic graph 


In this subsection, we prove some properties of the symbolic graph (of any index 
k). The first two properties that we prove exhibit some structural properties on 
the paths of the symbolic graph. The next two properties relate paths over the 
symbolic graph to runs over the configurations of the given RBN. These four 
properties will ultimately lead us to prove our two main contributions in the 
next section. 


First property: Monotonicity. Let k € N and let G; be the symbolic graph of 
index k associated with R. The first key property of G;, is the following property, 
which we call monotonicity. 


Proposition 2. Let 0 = (v, S) and & = (v',S") be symbolic configurations of 
Gk. Then the following are true: 


— IfZCS andé ~~ &, then (v, S) 4 (v', ZU S’). 
— If ZC Q and 6 ~* 6, then (v, Z U S) =° (v', ZUS"). 


Proof. The two points follow immediately from the definition of ~>*. 


Second property: Normal Form. To state the second property, we first need 
a small definition. 


Definition 2. Let (vo, So) ~ ++: ~> (Um, Sm) a path in Gk. A pair of indices 
0<i<j<™m is called a bad pair if (Si \ Si41) NS; #0. A path is said to be 
in normal form if it contains no bad pairs, i.e., for all O <i < m and any j > 1, 


(GS) N S = 0. 


Intuitively, a path is in normal form if during each step, the states that 
disappear from the abstract part never reappear again. The following lemma 
asserts that whenever there is a path between two symbolic configurations, then 
there is a path between them that is in normal form. 


Lemma 2. Let 6,0’ be symbolic configurations of Gkr such that there is a path 
between 0 and O' of length m. Then, there is a path in normal form between 0 
and 0' of length m. 
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Proof Sketch. Let 0 = 0) ~ 0, ~ 02 ~ ...0m—1 ~ Om = O be the path 
between 6 and 0’. We proceed by induction on m. The claim is clearly true for 
m = 0. Suppose m > 0 and the claim is true for m—1. By induction hypothesis, 
we can assume that the path 09 ~> 6, ~> ... ~> Om_1 is already in normal form. 

Let each 0; = (vi, Si). Let | be the number of bad pairs in the path between 
0o and 0m. If l = 0, then the path is already in normal form and we are done. 
Suppose l > 0 and let (w, w’) be a bad pair. Since the path between ĝo and 0—1 
is already in normal form, it has to be the case that w’ = m. Hence, we have 
Z := (Sw \ Sw+1) N Sm 4 @. 

By Proposition 2, the following is a valid path: (Uw, Sw) ~ (vw41, Sw+1 U 
Z) ~~ (Vw+2, Sw+2 U Z) Seu (Um—1,Sm—1 U Z) ~~ (Um, Say Z) = (Um; Sm). Let 
0; := 6; if j < w and (vj, Sj U Z) otherwise. Hence, we get a path 65 ~ 0, ~> 
1 Ow OF. 

Let each 6! = (v!,$%) and let 0 < i < j < m-—1. By a case analysis on where 
i and j are relative to the index w, we can prove that (S4 \ Si,,) NS = 0. Having 
proved this, it is then clear by construction, that this new path from 6) := ĝo to 
Ol = Am has at most l — 1 bad pairs only. Hence, we now have a path from 69 
to Om such that the prefix of length m — 1 is in normal form and the number of 
bad pairs has been strictly reduced to l — 1. Repeatedly applying this procedure 
leads to a path in normal form between 0o and Om- 


Third property: Refinement. Before we state the third property, we need 
a small definition. Recall that, given a symbolic configuration 0 = (v, S), the 
set [0] denotes the set of configurations C such that C(q) = v(q) if q € S and 
C(q) > v(q) otherwise. The following definition refines the set [6]. 


Definition 3. Given a symbolic configuration 0 = (v, S) and a number N EN, 
let [A] y denote the set of configurations C such that C(q) = v(q) if q € S and 
C(q) > v(q) + N otherwise. Note that [6] = [0]o- 


This definition along with the above two properties now enable us to prove 
the third property. It roughly states that if a symbolic configuration 6’ can be 
reached from another symbolic configuration 0, then there is a “small” N such 
that any configuration in [6’],; can be reached from some configuration in [6]. 


Theorem 1. Let 0,6’ be symbolic configurations of Gk such that 0 ~>* 6’. Then 
there exists N < k x (2k)I@l x (|Q| + 1!@44 41 such that for all C’ € [6] y, 
there exists C € [6] such that C > ©". 


Proof Sketch. Suppose 0 ~»* 6’. If the length of the path is 0, then there is 
nothing to prove. Hence, we restrict ourselves to the case when the length of the 
path is bigger than 0. By Lemma 2, there is a path in normal from from @ to 6’ 
(say) 0 = bo ~ 0, ~> b2... Om-1 œ Om = O with each 0; := (vi, Si). 

Let No = 0 and let Ni = (Ni-1 + 1) t (|Si-4 \ Sil + 1) for every il < a < m. 
In Lemma 5.3 of [8] (more precisely in its proof, in Lemma 6 of the long version 
[9]), the following fact has been proved: 


70 A. R. Balasubramanian, L. Guillou, C. Weil-Kennedy 


For every 1 < i < m and for every C” € [6] y,,,, there exists C € 
[9:1] y,_, 41 such that C > C’. 


This immediately proves that for all C” € [0] y, „41; there exists C € [6] such 


that C Š C’. If we prove Nm < k x (2k)!@! x (|Q| +1)!@!+1, then the proof of 
the theorem will be complete. 

Notice that if (v, ø) ~ (v’, S") is an edge in Gp then S’ = Ø. This fact, along 
with the definition of a path in normal form, allows us to easily conclude that the 
number of indices i such that |S;—1 \ S;| > 0 is at most |Q]. It then follows that 
except for at most |Q] indices, each index N; is obtained from Nj; by simply 
adding 1 and in the remaining indices, N; is obtained from N;—ı by adding 1 
and then multiplying by a number which is at most |Q| + 1. Using this, we can 
deduce that the maximum value for Nm is at most (m—|Q|+1)|Q|(|Q|+1)!2!. 
Since m is itself the length of the path between 69 and Om, m is upper bounded 
by the number of symbolic configurations in G, which is at most k x KI@l x 2/21, 
Overall we get that Nm < k x (2k)!@! x (Q| + 1)I@I41. 


Remark 3. A similar result was proved in Lemma 5.3 of [8], but there it was just 
stated that there exists an N satisfying this property. Moreover from the proof 
of that lemma, only a doubly exponential bound on N could be inferred. 


Fourth property: Compatibility. To describe the fourth property, we need 
the following notion of order on configurations, relative to a given symbolic 
configuration. 


Definition 4. Let 0 = (v, S) be a symbolic configuration, and let C,C’ be two 
configurations of R. We define an order Xg such that C Xo C" if and only if 
C,C" € [0], and Yq E S, C(q) < C (q). 


This definition enables us to state our next property, which we dub compat- 
ibility. It intuitively says that the order that we have defined is, in some sense, 
compatible with the edges of the symbolic configurations. 


Lemma 3. Let 0 be a symbolic configuration of Gk, and let C, C" be two config- 
urations of R. If C € [0] and C Ž, C’, then there exists a symbolic configuration 
0 such that 1) C’ € [0], 2) 0 ~* 0' and 3) for all Ci such that Ci =o C", there 
exists Cy € [6] such that C, > C$. 


Proof. Let 0 be a symbolic configuration and C,C’ be configurations such that 
C € [6] and C 4 C'. Let C = Co > ++» > Cm-1 > Cm = C’ denote the run 
between C and C’. We prove the property by induction on m. For m = 0, we 
have C = C”. The property is easily seen to hold with 6’ = 6. 

Suppose now that m > 1, and that the property holds for all n < m. By in- 
duction hypothesis, for the configuration Cm-—1, there exists a symbolic configu- 
ration 0,1 satisfying the property, in particular 0 ~>* 0,1. Since Cm-1 > Cm 
for some a € X, by Lemma 1, there exists a symbolic configuration 0,, such that 
Cm E [Om], and On-1 1 Om. Using 0 ~* 0-1, we obtain that 0 ~>* Om. 
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Let @m—1 = (Um—1,Sm—1) and Ôm = (Vm, Sm). Let Ci, E [Om] be such 
that Ci, ~o,, Cm. We will construct a configuration C/,_, E [@m-—1] such that 
Cla =6,-; Cm—1 and C!,_, > Cl, If we construct such a configuration, then 
by induction hypothesis, there is a Cy € [6] such that C1 > C’,_, > C’,,, which 
will conclude the proof. 

Let C’,_1(q) = Cm-1(q) for all q ¢ Sm-1. To define Ch —1 on Sm-1, we 
first define a mapping pred from states in Sm to states of Sm—1U Sm_1 = Q as 
follows. Given q’ € Sm: 


— If g' € Sm-1, pred(q') = q'; 

— If q Z Sm-1, by definition of edges in the symbolic graph, there exists 
q € Sm—1 such that (q,?a,q') is a transition. Then pred(q') = q for one 
(arbitrary but fixed) such q. 


By definition, Ch(q) = Cm(q) for all q ¢ Sm. For all q E Sm, let ng = 
Ch(q) — Cm(q). Intuitively, we want to place these n, processes in the right 
places of C/,_, so that C!,,_; + C!,. For all q € Sm-1, let C),_1(¢@) = Cm-1(q)+ 
gesn pred(q’)=q a’ By definition, Cm1 Z0m-ı Cm-1- So all that remains is 
to prove that C’,_, > Ch. 

Let Cm-1 daite: Cm where t = (p,!a,p’) and each t; = (pi, ?a, p;). If 
we let Sm \ Sm-1 = {q4,---,@,}, then by definition there is a transition t, := 
(pred(q:),?a,q;) for each i. Additionally, C’,_,(pred(qi)) > Cm-1(pred(qi)) + 
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cludes the proof. 


4 The PSPACE Theorem 


In this section, we prove our two main contributions. First, we show that given 
a cube C, post*(C) is a counting set of bounded size. Using this, we show our 
main result: any boolean combination of atoms can be evaluated in PSPACE, 
where an atom is a counting set or the reachability set of a counting set. We call 
this the PSPACE Theorem. The intuition behind the PSPACE Theorem is that 
the norms of the counting sets obtained by such combinations are “small”, and 
so we only need to examine small configurations to verify them, thus yielding a 
PSPACE algorithm for checking correctness. In particular, the PSPACE Theorem 
will show that the cube-reachability problem is in PSPACE. We fix an arbitrary 
RBN R = (Q, X, ô) for the rest of the section. 
We start by drawing links between cubes and symbolic configurations. 


— Given a symbolic configuration 0 = (v, S), we let Cg be the cube (L, U) where 
L = v, and U(q) = v(q) if q ¢ S and U(q) = œ otherwise. Then Cg = [6]. 

— Given a cube C = (L,U), we define Ac to be the set of symbolic configura- 
tions 0 = (v, S) with S = {q | U(q) = œ} and L(q) < v(q) < U(g) ifa eS 
and v(q) = L(q) otherwise. Then [Ac] = C. 
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Notice that the set Aç is included in the symbolic graph of index 2||C||. 
Indeed, if C = (L,U) and (v,S) € Ac, then |v| < |L| + |Uy| where Up (q) = 0 if 
U(q) = œ and U;(q) = U (q) otherwise. Since ||C|| = max(|L|, |U p|), we have the 
desired result. By Remark 2, we know that symbolic configurations in the graph 
of index 2||C|| can only reach symbolic configurations which are also in the graph 
of index 2||C||. 


Lemma 4. Given a cube C, the sets Ac and post*(Ac) are included in the 
symbolic graph of index 2||C||. 


There are only a finite number of symbolic configurations in the graph of a 
given index. Therefore post*(Ac) is a finite set of symbolic configurations 0. It 
follows that [post*(Ac)] is the finite union of the cubes Cg, and thus a counting 
set. 

Unfortunately, it is in general not the case that post*(C) = [post*(Ac)], 
which would close our argument. However, we will show that for each symbolic 
configuration 0 in post*(Ac), there is a counting set Sg C [0] such that the 
finite union of these counting sets is equal to post*(C). This will then show our 
first important result, namely that the reachability set of a counting set is also 
a counting set with “small” norm. 


Theorem 2. Let C be a cube. Then post*(C) is a counting set and 
l|post* (C)|| € OCCII- |Q|)'2'*”) 


The same holds for pre* by using the given RBN with reversed transitions. 


Proof. We start by defining a counting set M of configurations, which we will 
then prove to be equal to post*(C).Given a symbolic configuration 6 of post* (Ac), 
we define the set min(0,C) to be the set of configurations C € [0] such that C 
is minimal for the order <e over the configurations of post*(C), i.e. 


min(@,C) = min {C € [6] | C € post*(C)} 
26 
We can now define M to be the following set 


m= UU & 


OEpost* (Ac) CEmin(0,C) 


where CŹ, is the cube Cic,s) for S such that 6 = (v, S). Since M is a finite union 
of cubes, it is a counting set. 

We show that post*(C) C M. Let C € post*(C). There exists Co € C such 
that Cy > C, and there exists 09 € Ac such that Co € [4]. Applying Lemma 
1, we obtain the existence of 0 € post* (0o) C post*(Ac) such that C € [6]. Now, 
there exists a configuration C” € min(6,C) such that C” <9 C. By definition of 
Cé,, C is in C2, and thus in M. 

Now we show that M C post*(C). Let C € M. By definition, there must be 
a symbolic configuration 0 € post*(Ac) and a configuration C” € post*(C) such 
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that C” <9 C. By the Compatibility Lemma (Lemma 3), C is in post*(C) as 
well. 

All that remains is to bound the norm of M. To do this, let 0 = (v, S) € 
post*(Ac) and let C € min(6,C). If we bound the norm of C, by the desired 
quantity, then the proof will be complete. Noticing that ||C2|| = |C], it suffices 
to bound |C| by the desired quantity, which is what we shall do now. 

By Theorem 1 and Lemma 4, there exists an N < 2\|C|| x (4||C||)!@! x (Q|+ 
1)!2!+1 such that [post*(Ac)]v C post*([Ac]) = post*(C). By definition of C, 
there must be a smallest N’ such that C(q) < v(q) +N’ for every state q. If 
N’ > N, then let Cy be the configuration given by Cy (q) = min(C (q), v(q)+N). 
We get that Cy €E [6]n E [post*(Ac)]n C post*(C), and so Cy xg C and 
Cy € post*(C), which is a contradiction to the minimality of C. Hence N’ < N 
and so |C] < |v|+|Q|-N. Since 8 = (v, S) is in post*(Ac), by Lemma 4, we have 
that |v| < 2||[C||. Substituting the upper bounds for |v| and N in the inequality 
|C| < |v| + |Q|-N then gives the required upper bound for |C], thereby finishing 
the proof. 

This result also holds for pre* (C). £R = (Q, X, R) is the given RBN, consider 
the “reverse” RBN Rr, defined as R = (Q, X, Rr) where Ry has a transition 
(q,xa,q') for x € {!,?} iff R, has a transition (q’,*«a,q). Notice that Ry is still 
an RBN and that post*(C) in R is equal to pre*(C) in Rp. 


Recall that counting sets are closed under boolean operations. With the above 
theorem, plus the fact that counting sets are finite unions of cubes, we obtain 
the following closure result. 


Corollary 1 (Closure). Counting sets are closed under post*, pre* and boolean 
operations. 


We are now ready to show our main result, the PSPACE Theorem. We 
show that there exist PSPACE algorithms to evaluate boolean combinations over 
counting sets and reachability set of counting sets. This result and its proof are 
adapted from a similar result for population protocols in [12]. 

Given a counting constraint I’, we let [I] denote the counting set described 
by I’. To state our result, we first define some “nice” expressions. 


Definition 5. A nice expression is any expression that is constructed by the 
following syntaz: 


E :=T | post* (T) | pr*(T)| HOE | EUE|E 


where I’ is any counting constraint. 
If E is a nice expression, then the size of E, denoted by |E|, is defined as 
follows: 


— If E =T or post*(I’) or pre*(I), then |E| = 1; 


= If E = Ey U Ea or E = Ey N Eo, then |E] = |El + |B]; 
— If E = E, then |E| =|E,| + 1. 
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The set of configurations that is described by a nice expression E can be defined 
in a straightforward manner, and is denoted as [E]. 


Notice that any nice expression E is a counting constraint, and [|E] is a 
counting set, by the Closure Corollary 1. 


Theorem 3 (PSPACE Theorem). Let E be a nice expression and let N be the 
maximum norm of the counting constraints appearing in E. Then [E] is a count- 
ing set of norm at most exponential in N,|E| and |Q|. Further, the membership 
and emptiness problems for |E] are in PSPACE. 


Proof. Recall that [E] is a counting set , by the Closure Corollary (Corollary 1). 
The exponential bounds for the norms follow immediately from Proposition 1 and 
Theorem 2. The membership complexity for union, intersection and complement 
is easy to see. Without loss of generality it suffices to prove that membership in 
post*(I’) is in PSPACE, where I is a counting constraint. 

By Savitch’s Theorem NPSPACE=PSPACE, so we provide a nondeterministic 
algorithm. Given (C, I’), we want to decide whether C € post*(I°’). The algorithm 
first guesses a configuration Co € T of the same size as C, verifies that Co belongs 
to I’, and then simply guesses an execution starting at Co, step by step. The 
algorithm stops if either the configuration reached at some step is C, or if it has 
guessed more steps than the number of configurations of size |C|. This concludes 
the discussion regarding the membership complexity. 

To see that checking emptiness of Æ is in PSPACE, notice that if E is 
nonempty, then it has an element of size at most ||E||. We can guess such an 
element C in polynomial space (by representing each coefficient in binary), and 
verify that C is indeed in E by means of the PSPACE membership algorithm. 


This result is a powerful tool which can be used to prove that a host of 
problems are in PSPACE for RBN. For instance, the cube-reachability problem 
for cubes C and C’ is just checking if post*(C)NC’ is empty, which by the PSPACE 
Theorem can be done in PSPACE. Combining this with Remark 1, we obtain the 
following result. 


Theorem 4. Cube-reachability is PSPACE-complete for RBN. 


By the reduction given in Section 4.2 of [3], this result also proves that 
cube-reachability is PSPACE-complete for asynchronous shared-memory systems 
(ASMS), which is another model of distributed computation where agents com- 
municate by a shared register. Due to lack of space, we defer a discussion of this 
result to the appendix. 

We will demonstrate further applications of the PSPACE Theorem in the next 
section. 


5 Application 1: Almost-sure coverability 


Having presented our PSPACE Theorem and the closure property for reachability 
sets of counting sets, we now provide two applications. For the first one, we 
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consider the almost-sure coverability problem for RBN. Using our new results, 
we prove that this problem is PSPACE-complete. 

The rest of the section is as follows: We first recall the definition of the almost- 
sure coverability problem, give a characterization of it in terms of counting sets 
and then prove PSPACE-completeness. Throughout this section, we fix a RBN 
R = (Q, 2,6) with two special states init, fin E€ Q, which will respectively be 
called the initial and final states. 


5.1 The almost-sure coverability problem 


Let + fin denote the set of all configurations C of R such that C(fin) > 1. For 
any k > 1, we say that the configuration {k - initS almost-surely covers fin if 
and only if post*({k - init$) C pre*(t fin). The reason behind calling this the 
almost-sure coverability relation is that the definition given here is equivalent 
to covering the state fin from (k- init) with probability 1 under a probabilistic 
scheduler which picks agents uniformly at random at each step. 

The number k is called a cut-off if one of the following is true: Either, 1) for 
all h > k, the configuration (h- init) almost-surely covers fin, in which case k is 
called a positive cut-off; or, 2) for all h > k, the configuration (h- init does not 
almost-surely cover fin, in which case k is called a negative cut-off. The following 
was proved in Theorem 9 of [3]. 


Theorem 5. Given an RBN with two states init, fin, a cut-off always exists. 
Whether the cut-off is positive or negative can be decided in EXPSPACE. 


Our main result of this section is that 


Theorem 6. Deciding whether the cut-off of a given RBN is positive or negative 
is PSPACE-complete. Moreover, a given RBN always has a cut-off which is at 
most exponential in its number of states. 


5.2 A characterization of almost-sure coverability 


We now rewrite the definition of almost-sure coverability in terms of counting 
sets. Let [init] be the cube such that L(q) = U (q) = 0 if q ¥ init and L(init) = 
0, U(init) = oo. Notice that by definition, + fin is a cube. We now consider the 
set of configurations defined by S := post*([init]) N pre*(t fin). By our PSPACE 
Theorem 3, S is a counting set such that the norm of S is at most 2?(/@!) for 


some fixed polynomial p. We now claim the following. 


Theorem 7. R has a positive cut-off if and only if S is finite. Moreover, |\Q|-|S| 
is an upper bound on the size of the cut-off for R and so R has a cut-off which 
is exponential in its number of states. 


Proof. Let N be the norm of S. Suppose S is finite. If C € S, then } Z ego C(q) < 
IQ|- N. So, if C is any configuration of size h > |Q|- N such that C € post*((h- 
initS) then C € pre*(t fin). Hence, |Q|- N is a positive cut-off for R. 


76 A. R. Balasubramanian, L. Guillou, C. Weil-Kennedy 


Suppose S is infinite, and let U;C; be a counting constraint for © whose 
norm is N. Then there must exist an index i with C; := (L,U) and a state 
p such that U(p) = oo. For each h > N, consider the configuration Ch given 
by Cr(q) = L(q) if q Æ p and C),(p) = h. Notice that Cp E€ S and so Cp E€ 
post* ([init]) N pre*(t fin). Hence, for every h > |Q|- N, we have exhibited a 
configuration of size h, reachable from (lh - initS but from which fin is not 
coverable. Thus N is a negative cut-off for R. 


Remark 4. Notice that we have shown that if S is finite, then R has a positive 
cut-off and if S is infinite, then R has a negative cut-off. This gives an alternative 
proof of the fact that a cut-off always exists for a given RBN. 


5.3  PSPACE-completeness of the almost-sure coverability problem 
Because of Theorem 7, we now have the following result. 


Lemma 5. Deciding whether the cut-off of a given RBN is positive or negative 
can be done in PSPACE. 


Proof Sketch. By Theorem 7, it follows that a given RBN has a negative cut-off 
iff S = post*([init]) N pre*(f fin) is infinite. We have already seen that S is a 
counting set such that the norm of S is at most N := 2?(I@!) for some fixed 
polynomial p. 

Let U;C; be a counting constraint for S which minimizes its norm and let 
each C; = (Li, Ui). Hence, L;(q) < N for every state q. Further, S is infinite iff 
there is an index i and a state q such that U;(q) = 00. Using these two facts, we 
can then show that S is infinite iff there is a state q and a configuration C € S 
such that C(q’) < N for every q' # q and C(q) = N +1. 

Hence, to check if S is infinite, we just have to guess a state q and a config- 
uration C such that C(q’) < N for every q’ Æ q and C(q) = N +1 and check if 
C € S. Since guessing C can be done in polynomial space (by representing every 
number in binary), by the PSPACE Theorem (Theorem 3), we can check if C € S 
in polynomial space as well, which concludes the proof of the theorem. 


We also have the accompanying hardness result. 


Lemma 6. Deciding whether the cut-off of a given RBN is positive or negative 
is PSPACE-hard. 


Similar to the cube-reachability problem, our result on almost-sure cover- 
ability also applies to the related model of ASMS. This solves an open problem 
from [6]. For lack of space, we once again defer this discussion to the appendix. 


6 Application 2: Computation by RBN 


In this section we give another application of our results. We introduce a model 
of computation using RBN called RBN protocols. We take inspiration from the 
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extensively-studied model of population protocols [1,2,12]. The reader can con- 
sult the above references for more details on population protocols. 

In our model, reconfigurable networks of identical, anonymous agents interact 
to compute a predicate y : Në — {0,1}. We show that RBN protocols compute 
exactly the threshold predicates, which we will define more formally below. 


6.1 RBN Protocols 
We introduce our computation model. The notation mimics that of [13]. 


Definition 6. An RBN protocol is a tuple P = (Q,5’,6,I,O) where (Q, X, 6) 
is an RBN, I = {q1,.--, Qn} is a set of input states, and O : Q — {0,1} is an 
output function. 


Configurations and runs of P are the same as that of the underlying RBN. A 
configuration C is called a 0-consensus (respectively a 1-consensus) if C(q) > 0 
implies O(q) = 0 (respectively O(q) = 1). For b € {0,1}, a b-consensus C is stable 
if every configuration reachable from C is also a b-consensus. A run Co > C1 > 
C2--- of P is fair if it is finite and cannot be extended by any step, or if it is 
infinite and the following condition holds for all configurations C, C”: if C > C” 
and C = C; for infinitely many i > 0, then the step C — C” appears infinitely 
along the run. In other words, if a fair run reaches a configuration infinitely 
often, then all the configurations reachable in a step from that configuration will 
be reached infinitely often from it. 

A fair run Cp —> Cı > ... converges to b if there is i > 0 such that C; isa 
b-consensus for every j > i. For every v € N*, let Cy be the configuration given 
by Cu(qi) = vi for every qi € I, and C,(q) = 0 for every q E€ Q \ I. We call 
Cy the initial configuration for input v. The protocol P computes the predicate 
y: N! —> {0,1}, if for every v € N*, every fair run starting at Cy converges to 


(v). 


Fig. 3. An RBN protocol P. 


Example 3. Adding the dashed line transitions to the RBN of Example 1 yields 
the RBN protocol P = (Q, X, 6, I, O) illustrated in Figure 3. The initial state is 
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qı, i.e. I = {qı }, and the output function is defined such that O(q,) = O(q2) = 0 
and O(q3) = 1. If there is a process in q3, it can “attract” the rest of the 
processes there using the new dashed transitions. As with the RBN of Example 
1, a process can be put in q3 starting from the initial configuration {k -qı if and 
only if k > 3. This RBN protocol computes the predicate x > 3: if there are less 
than 3 processes originally in qı then they stay in states with output 0, and if 
there are more, then in a fair run a process eventually enters q3, and eventually 
the others follow, thus converging to 1. 


6.2 Expressivity 


In this section, we show that RBN protocols compute exactly the predicates 
definable by counting sets. A predicate y : NE — {0,1} is definable by counting 
sets if for every b € {0,1}, the sets {v | y(v) = b} are counting sets. 

For b € {0,1}, define the following sets of configurations: 


— Let Cy be the set of b-consensus configurations. 

— Let ST, be the set pre* (Cr) of stable b-consensuses. These are the configu- 
rations from which one can reach only b-consensuses. 

— Let T, be the set of initial configurations C, for inputs v such that y(v) = b. 


The next lemma states that every predicate computed by a protocol is de- 
finable by counting sets. 


Lemma 7. Let P be a RBN protocol that computes the predicate y : NE > 
{0,1}. Then for every b € {0,1}, the sets Z,,C, and ST, are all counting sets. 
This entails that p is definable by counting sets. 


Proof Sketch. Fix a b € {0,1}. It is easy to see that Cp is a cube. Unraveling the 
definitions of Z, and ST,, we can express them in terms of Cy, by using boolean 
operations and pre*. By the Closure Corollary (Corollary 1), they are counting 
sets. Set {v | y(v) = b} is simply Te restricted to I, and so we are done. 


The next lemma states the converse result. It essentially uses the fact that 
there is a sub-class of population protocols called IO protocols which compute 
exactly the predicates definable by counting sets (Theorem 7 and Theorem 39 
of [2,13]), and that IO protocols are a sub-class of RBN (Section 6.2 of [3]). 


Lemma 8. Let y : N" — {0,1} be a predicate definable by counting sets. Then 
there exists a RBN protocol computing yp. 


By Lemma 7 and Lemma 8, we get our result. 


Theorem 8. RBN protocols compute exactly the predicates definable by count- 
ing sets. 
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Abstract. Leroux has proved that unreachability in Petri nets can be 
witnessed by a Presburger separator, i.e. if a marking ms; cannot reach 
a marking migt, then there is a formula y of Presburger arithmetic such 
that: P(Msrc) holds; p is forward invariant, i.e., y(m) and m > m’ 
imply v(m’); and =y(migt) holds. While these separators could be used 
as explanations and as formal certificates of unreachability, this has not 
yet been the case due to their (super-)Ackermannian worst-case size and 
the (super-)exponential complexity of checking that a formula is a sepa- 
rator. We show that, in continuous Petri nets, these two problems can be 
overcome. We introduce locally closed separators, and prove that: (a) un- 
reachability can be witnessed by a locally closed separator computable 
in polynomial time; (b) checking whether a formula is a locally closed 
separator is in NC (so, simpler than unreachablity, which is P-complete). 


Keywords: Petri net - continuous reachability - separators - certificates. 


1 Introduction 


Petri nets form a widespread formalism of concurrency with several applications 
ranging from the verification of concurrent programs to the analysis of chemical 
systems. The reachability problem — which asks whether a a marking Msre can 
reach another marking mgt — is fundamental as a plethora of problems, such 
as verifying safety properties, reduce to it (e.g. [13,11,2]). 

Leroux has shown that unreachability in Petri nets can be witnessed by a 
Presburger separator, i.e., if a marking ms,- cannot reach a marking Migt, then 
there exists a formula y of Presburger arithmetic such that: y(msr-) holds; y is 
forward invariant, i.e., p(m) and m > m’ imply v(m’); and y(migt) does not 
hold [14]. Intuitively, y “separates” mgt from the set of markings reachable from 
Merc. Leroux’s result leads to a very simple algorithm to decide the Petri net 
reachability problem, consisting of two semi-algorithms; the first one explores 
the markings reachable from ms;c, and halts if and when it hits mgt, while the 
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second enumerates formulas from Presburger arithmetic, and halts if and when 
it hits a separator. 


Separators can be used as explanations and as formal certificates. Verifying 
a safety property can be reduced to proving that a target marking (or set of 
markings) is not reachable from a source marking, and a separator is an invariant 
of the system that explains why the property holds. Further, if a reachability tool 
produces separators, then the user can check that the properties of a separator 
indeed hold, and so trust the result even if they do not trust the tool (e.g., 
because it has not been verified, or is executed on a remote faster machine). 
Yet, in order to be useful as explanations and certificates, separators have to 
satisfy two requirements: (1) they should not be too large, and (2) checking 
that a formula is a separator should have low complexity, and in particular 
lower complexity than deciding reachability. This does not hold, at least in the 
worst-case, for the separators of [14]: In the worst case, the separator has super- 
Ackermannian size in the Petri net size (a consequence of the fact that the 
reachability problem is Ackermann-complete [16,15,7]) and the complexity of 
the check is super-exponential. 


In this paper, we show that, unlike the above, continuous Petri nets do 
have separators satisfying properties (1) and (2). Continuous Petri nets are a 
relaxation of the standard Petri net model, called discrete in the following, in 
which transitions are allowed to fire “fluidly”: instead of firing once, consuming 
ip tokens from each input place p and adding o, tokens to each output place q, 
a transition can fire a times for any nonnegative real number a, consuming and 
adding a-ip and a-og tokens, respectively. Continuous Petri nets are interesting in 
their own right [8], and moreover as an overapproximation of the discrete model. 
In particular, if mgt is not reachable from Msre under the continuous semantics, 
then it is also not under the discrete one. As reachability in continuous Petri nets 
is P-complete [12], and so drastically more tractable than discrete reachability, 
this approximation is used in many tools for the verification of discrete Petri 
nets, VAS, or multiset rewriting systems (e.g. [5,4,10}). 

It is easy to see that unreachability in continuous Petri nets can be witnessed 
by separators expressible in linear arithmetic (the first-order theory of the reals 
with addition and order). Indeed, Blondin et al. show in [5] that the continuous 
reachability relation is expressible by an existential formula reach(m,m’) of lin- 
ear arithmetic, from which we can obtain a separator for any pair of unreachable 
markings. To wit, for all markings Mz. and Mtgt, if Mgt is not reachable from 
Msrc, then the formula sepm (™m) := >reach(Msrc, M) is a separator. Further, 
reach(m, m’) has only linear size. However, these separators do not satisfy prop- 
erty (2) unless P = NP. Indeed, while the reachability problem for continuous 
Petri nets is P-complete [12], checking if a formula of linear arithmetic is a sepa- 
rator is coNP-hard, even for quantifier-free formulas in disjunctive normal form, 
a very small fragment. So, the separators arising from [5] cannot be directly used 
as certificates. 


In this paper, we overcome this problem. We identify a class of locally closed 
separators, satisfying the following properties: unreachability can always be wit- 
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nessed by locally closed separators; locally closed separators can be constructed 
in polynomial time; and checking whether a formula is a locally closed separa- 
tor is computationally easier than deciding unreachability. Let us examine the 
last claim in more detail. While the reachability problem for continuous Petri 
nets is decidable in polynomial time, it is still time consuming for larger mod- 
els, which can have tens of thousands of nodes. Indeed, for a Petri net with n 
places and m transitions, the algorithm of [12] requires to solve O(m?) linear 
programming problems in n variables, each of them with up to m constraints. 
Moreover, since the problem is P-complete, it is unlikely that a parallel computer 
can significantly improve performance. We prove that, on the contrary, checking 
if a formula is a locally closed separator is in NC rather than P-complete, and so 
efficiently parallelizable. Further, the checking algorithm only requires to solve 
linear programming problems in a single variable. 

The paper is organized as follows. Section 2 introduces terminology, and 
defines separators (actually, a slightly different notion called bi-separators). Sec- 
tion 3 recalls the characterization of the reachability relation given by Fraca 
and Haddad in [12], and derives a characterization of unreachability suitable 
for finding bi-separators. Section 4 shows that checking the separators derivable 
from [5] is coNP-hard, and introduces locally closed bi-separators. Sections 5 
and 6 show that locally closed bi-separators satisfy the aforementioned proper- 
ties (1) and (2). Finally, Section 7 shows that all our results can be extended to 
separators that separate two sets of markings instead of singletons. 


2 Preliminaries 


Numbers, vectors and relations. We write N, R and R+ to denote the naturals 
(including 0), reals, and non-negative reals (including 0). Let S be a finite set. 
We write e, to denote the unit vector e, E€ RS such that e,(s) = 1 and e,(t) = 0 
for all s,t € S such that t Æ s. Given x,y € R*°, we write x ~g y to indicate 
that a2(s) ~ y(s) for all s € S, where ~ is a total order such as <. We define the 
support of a vector æ € RS as supp(x) := {s € S : a(s) > 0}. We write x(9) := 
Des #(s). The transpose of a binary relation R is R! = {(y, x) : (x,y) E€ R}. 


Petri nets. A Petri net? is a tuple N = (P,T,F) where P and T are disjoint 
finite sets, whose elements are respectively called places and transitions, and 
where F = (F_,F,) with F_,F,: Px T —> N. For every t € T, vectors 
A, , Ay € NP are respectively defined as the column of F_ and F, associated 
tot, ie. Ay = F_-e; and Aj := F,-e;. A marking is a vector m € RẸ. We say 
that transition t is a-enabled if m > aA; holds. If this is the case, then t can 
be a-fired from m, which leads to marking m’ := m — aA; + aA}, which we 
denote m É m/. A transition is enabled if it is a-enabled for some real number 
3 In this work, “Petri nets” stands for “continuous Petri nets”. In other words, we will 

consider standard Petri nets, but equipped with a continuous reachability relation. 


We will work over the reals, but note that it is known that working over the rationals 
is equivalent. For decidability issues, we will assume input numbers to be rationals. 
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a > 0. We define F = F, — F_ and A, = F - e. In particular, m 2 m 
implies m’ = m + aA,. For example, for the Petri net of Figure 1: 


air, {p 


{pi > 2, p2 > 0, p3 + 0, pa + OF 1 => 3/2, p2 > 1/2, pa + 0, pa + OF. 


Moreover, w.r.t. to orderings pı < --- < pa (rows) and tı <--- < t4 (columns): 


1220 0010 —1 -2—1 0 
0010 1000 1 0—10 
F- = jooo F+5 lorio] A F=|o0 1 1-1 
0100 0101 0001 


Pl 


ta 


Fig. 1. A Petri net and two markings Msrc = {p1 > 2, p2 > 0, p3 > 0, pa > 0} (black 
circles) and mgt = {pi > 0, p2 +> 0, p3 + 0, pa + 1} (colored squares). 


A sequence o = ajt1-+: Qnty is a firing sequence from Msre tO Mgt if there 
are markings Mo, ..., Mn satisfying Msre = Mo a, Mı: Enis Mn = Migt- 
We write mo = mpn. We say that Merc enables o, and that Migs enables o 
backwards, or backward-enables o. The support of ø is the set {t),...,tn}. For 
example, for the Petri net of Figure 1, we have mg; = Mgt Where 


Msre = {p1 > 2, p2 ++ 0, p3 + 0, pa + OF, 
Met = {p1 > 0, p2 > 0, p3 ++ 0, pa + 1}, 
o = (1/2)t, (1/2)t3 (1/2)ta (1/2)t2 (1/2)ta. 


Let U C T. We write m >” m to denote that m ©, m/ for some a > 0 and 
t€ U, and >" for the transitive and reflexive closure of >”. We simply write 
— and —* when U = T. The Petri net Ny is obtained by removing transitions 
T \ U from N. In particular, m 34° m’ holds in M iff m >* m’ holds in Ny. 

The transpose of N = (P,T,(F_,F4)) is MT := (P,T,(F;,F_)). We have 
Mere > Meet in N iff Migt Z; Mere in NT, where 7 is the reverse of øo. For 
U CT, we write UT to denote U in the context of NT. This way, when we write, 
e.g. +” and +", it is clear that we respectively refer to M and NT. 


Linear arithmetic and Farkas’ lemma. An atomic proposition is a linear inequal- 
ity of the form ax < b or ax < b, where b and the components of a are over 
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R. Such a proposition is homogeneous if b = 0. A linear formula is a first-order 
formula over atomic propositions with variables ranging over R+ (the classi- 
cal definition uses R, but in our context variables will encode markings.) The 
solutions of a linear formula y, denoted [y], are the assignments to the free 
variables of y that satisfy y. A linear formula is homogeneous if all of its atomic 
propositions are homogeneous. For every formula y(a,y) where x and y have 
the same arity, we write yT to denote the formula that syntactically swaps x 
and y, so that [yT] = [y]'. Throughout the paper, we will use Farkas’ lemma, 
a fundamental result of linear arithmetic that rephrases the absence of solution 
to a system into the existence of one for another system: 


Lemma 1 (Farkas’ lemma). Let A € R™*” and b € R™. The formula 
Ag <b has no solution iff ATy=OA bly <0Ay>0 has a solution. 


2.1 Separators and bi-separators 
Let us fix a Petri net N = (P,T, F) and two markings Mgrc, Mtgt € RÈ. 


Definition 1. A separator for (Merc, Mtgt) is a linear formula p over RẸ such 
that: (1) Msre € ly]; (2) p is forward invariant, i.e., m € |y] and m > m’ 
implies m € [y]; and (3) mig: ¢ [y]. 


It follows immediately from the definition that if there exists a separator y 
for (Merc, Mtgt), then Msro A* Mgt. Thus, in order to show that Msro A* Mgt 
in M, we can either give a separator for (Msrc, Mtgt) w.r.t. N, or a separator 
for (Mgt, Msro) W-r.t. NT. Let us call them forward and backward separators. 
Loosely speaking, a forward separator shows that mgt is not among the mark- 
ings reachable from Msrc, and a backward separator shows that Msre is not 
among the markings backward-reachable from mg¢. Bi-separators are formulas 
from which we can easily obtain forward and backward separators. The symme- 
try w.r.t. forward and backward reachability make them easier to handle. 


Definition 2. A linear formula p over (RẸ)? is forward invariant if (m, m’) € 
[vy] and m’! > m” imply (m, m”) € Jọ]; backward invariant if (m’,m”) € fọ] 
and m — m! imply (m, m”) € [p]; and bi-invariant if it is forward and back- 
ward invariant. A bi-separator for (Mere, Migt) is a bi-invariant linear formula 
p s.t. (Mere, Msre) € [yl]. (Megt, Mgt) = [el] and (Mere, Migt) ¢ [yl 
The following proposition shows how to obtain separators from bi-separators. 
Proposition 1. Let y be a bi-separator for (Msrc, Mtgt). The following holds: 
— U(M) = Y(Mere,M) is a separator for (Mere, Migt) in N; 
— v(m) = v(m, Migt) is a separator for (Migt, Msrc) in NT. 


Proof. It suffices to prove the first statement, the second is symmetric. 

It is the case that Msro € [y] and migt € [Y] as (Merc, Msre) € [y] and 
(Merc, Mgt) ¢ [y]. It remains to show that w is forward invariant. Let m € [y 
and m “4 m. Since (Msro, m) € [p] and ¢ is forward invariant, it is the case 
that (Msc, m’) € [vy]. Hence, m’ € [y] as desired. 
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3 A characterization of unreachability 


In [12], Fraca and Haddad gave the following characterization of the reachability 
relation in continuous Petri nets: 


Theorem 1 ({12]). Let N = (P,T,F) be a Petri net, let U C T, and let 
Merc, Mgt E R. It is the case that Msre 0 Megt iff there exists S C U such 
that the following conditions hold: 


1. some vector x € RI with support S satisfies Msro + Fx = Mgt, 


2. some firing sequence o with support S is enabled at Merc, and 
3. some firing sequence T with support S is backward-enabled at migt. 


Furthermore, these conditions can be checked in polynomial time. 


Theorem 1 has the following form, where P,, P> and P; stand for the condi- 
tions of 1., 2., and 3.: 


* 


Mere >] Meet JS CU: (3x: Pi(S,x)) A (do: Po(S,0) A (Ar: P3(S,7)). 


Therefore, Msrc Au Meet holds iff 
VS CU: (Va: =P, (S, x)) V (Vo: aP2(S,0)) V (Vr: aP3(S,7)). 


To obtain a witness of unreachability for a given S C U, we replace each univer- 
sally quantified disjunct by an existentially quantified equivalent one. For condi- 
tions 2. and 3., the solution (implicitly given in [12]) is formulated in Proposition 
2. Given a set of places X, let °X (resp. X°) be the set of transitions t such that 
F.(p,t) > 0 (resp. F_(p,t) > 0) for some p € X. A siphon of N is a subset Q 
of places such that °Q C Q°. A trap is a subset R of places such that R° C °R. 
Informally, empty siphons remain empty, and marked traps remain marked. For- 
mally, if m > m’, then m(Q) = 0 implies m’/(Q) = 0, and m(R) > 0 implies 
m'(R) > 0. We have: 


Proposition 2 ({12]). Let N = (P,T,F) be a Petri net, let S C T, and let 
m E RY. The following statements hold: 


— No firing sequence with support S is enabled at m iff there exists a siphon 
Q of Ns such that Q° #9 satisfies m(Q) = 0; 

— No firing sequence with support S is backward-enabled at m iff there exists 
a trap R of Ns such that °R #0 satisfies m(R) = 0. 


So the universal statements “no firing sequence .. . is enabled/backward-enabled 
.” are replaced by existential statements “there exists a siphon/trap ...”. The 
if-direction of the proposition is easy to prove. A siphon Q of Ng satisfies Q° C S. 
Since Q is empty at m, if we only fire transitions from S then Q remains empty, 
and so no transition of Q° ever becomes enabled. So transitions of Q® can only 
fire after transitions that do not belong to S have fired first. But no such firing 
sequence has support $, and we are done. The case of traps is analogous. For 
the only-if direction we refer the reader to [12]. 
For condition 1. of Theorem 1, we obtain a solution in terms of exclusion 
functions. 
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Definition 3. Let N = (P,T,F) be a Petri net, let Mere, Migt € R? and let 
S C S CT. An exclusion function for (S, S’) is a function f: R? >R s.t. 


1. m Š&m' implies f(m) < f(m’) for all s € S'; and 
2. either f (Msro) > f (Magt); Or f(Msrc) = f(Migt) and there exists s € S such 
that m Š m implies f(m) < f(m’). 


An exclusion function for S is an exclusion function for (S, S). 


An exclusion function for S excludes the existence of a firing sequence from 
Msrc tO Mtgt With support S, i.e., witnesses that condition 1 of Theorem 1 fails. 
To see why, call f(m) the value of m. By definition of f, either mig_ has lower 
value than ms,, but no transition of S decreases it, or Msro and Mgt have the 
same value but no transition of S decreases it, and at least one increases it. So 
it is impossible to reach mgt from Msre by firing all and only the transitions of 
S. Let us apply exclusion functions and Proposition 2 to an example. 


Example 1. Consider the Petri net of Figure 1, but with mtgt = {p1 > 0, p20 
0,p3 +> 1, p4 + O} as target. We prove Msro 4* Migt. For the sake of contra- 
diction, assume m,,. 37" Mgt for some U C T. We proceed in several steps: 


— Claim: t4 ¢ U. The function f(m) := m(p4) is an exclusion function for T. 
Indeed, since no transition decreases the number of tokens of p4, m +. m! 
implies f(m) < f(m’) for every transition t € T. Furthermore, f(Msre) = 
0 = f(Migt), and, since t4 adds tokens to pa, m Ž1, m/! implies f(m) < 
f(m’). It follows that no firing sequence from Msre to Mgt can fire t4. 


— Claim: tz ¢ U. The set Q := {pa} is a siphon of Ny 11,3 (but not of M). Since 
Msrc(Q) = 0, it is impossible to use transitions of Np) {t,} that consume from 
Q, i.e. transitions of Q° = {t2}. 


— Claim: tı,t3 ¢ U. The set R := {pi,p2} is a trap of NT\{ta,ta} (but not of 
Nr\{t,})- Since Migt( R) = 0, it is impossible to reach mgt using transitions 
of NT\ ¢15,t,3 that produce in R, i.e. transitions of °R = {t1, ts}. 


By the claims, U = 0, hence we reach the contradiction Ms. = Meet- 


Proposition 4 below shows that condition 1. of Theorem 1 fails if and only 
if there is an exclusion function for S' (actually, a slightly more general result). 
We need the following consequence of Farkas’ lemma: 


Proposition 3. The system Jx > 0: Ax =bAS C supp(x) C S’ has no solu- 
tion iff this system has some: Jy: ATy >s OAb'y <OAbly < SA wes: 


Proposition 4. Let N = (P,T,F) be a Petri net, let Msro, Migi € RẸ, and let 
SCS’ CT. No vector x € RI satisfies S C supp(x) C S and Msre+E£ = Migt 
iff there exists a linear exclusion function for (S, S"). 


88 M. Blondin and J. Esparza 


Proof. Assume no such x € RI exists. Let b = Migt — Msrc- By Proposition 3, 
there exists y € R? such that: F'y >g OA bly < 0A bly < J` -g(FTy)s. We 
show that f(k) := y'k is a linear exclusion function for (S, S’). 


ses 


1. We have f (Meet) — f (Msre) = y Met —Y! Mere E: Y! (Megt —Msre) = y'b = 
b'y < 0, and hence f (mMegt) < f(Msre)- 


2. Let m $ m with s € S’ and A € R,. We have m’ = m+ \Fe,. Thus: 
f(m) = y'm = y'm + Ay"Fes = y'm + AFTy)"es > y'm = f(m), 
where the inequality follows from \ > 0, Fly, >s 0 and s € S’. 

3. Recall that b'y < 0 and yest k ys > bly. If the latter sum equals zero, 
then b'y < 0, and hence we are done since f(mtgt) — f(Msrc) = by < 0. 
Otherwise, we have $` eg(F'y)s > 0 since S C 9 and Fly >g 0. There- 
fore, there exists a transition s € S such that (F'y), > 0. Let m & m’. We 
have m’ = m + Fe, for some \ > 0. Thus, f(m’) = y'm + A(Fly)'e, > 
y'm = f(m), where the inequality holds by À > 0 and (Fy), > 0. 


Putting together Proposition 4 with Theorem 1 and Proposition 2, we obtain 
the following characterization of unreachability. 


Proposition 5. Let N = (P,T, F) be a Petri net, let U CT, and More, Migt € 
R. It is the case that Msro AU Mig Uff for every S CU: 


1. there exists an exclusion function for S, or 
2. there exists a siphon Q of Ns such that Q° £0 and Msre(Q) = 0, or 
3. there exists a trap R of Ns such that °R #0 and migi(R) = 0. 


This proposition shows that, for all supports S, we can produce a witness of 
unreachability as an exclusion function, a siphon, or a trap. In the next section, 
we transform these witnesses into separators useful as certificates. 


4 Separators as certificates 


Let N = (P,T, F) be a Petri net and let Msro, Migr € RẸ be two markings of M. 
From [5], one can easily show that if Msrc 4* Mig, then there is a separator for 
(Merc, Mtgt). Indeed, [5, Prop. 3.2] shows that there exists an existential formula 
w of linear arithmetic such that m —* m’ iff (m, m’) € [y]. Thus, the formula 
p(m) := Y(Msre, M) is a separator. 

However, y is not adequate as a certificate of unreachability. Indeed, checking 
a certificate for Msre 4* Mtgt should have smaller complexity than deciding 
whether Msre —>* Megt. This is not the case for existential linear formulas, 
because Msrc >* Mgt can be decided in polynomial time, but checking that an 
existential linear formula is a separator is coNP-hard. 


Proposition 6. The problem of determining whether an existential linear for- 
mula vy is a separator for (Mere, Migt) is coNP-hard, even if p is a quantifier-free 
formula in DNF and homogeneous. 
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In the rest of the section, we introduce locally closed bi-separators, and then, 
in Sections 5 and 6, we respectively prove that they satisfy the following: 


— If Moc A* Migt, then some locally closed bi-separator for (Msrc, Mgt) can 
be computed in polynomial time; 
— Deciding whether a formula is a locally closed bi-separator is in NC. 


4.1 Locally closed bi-separators 


The most difficult part of checking that a formula ¢ is a bi-separator consists 
of checking that it is forward and backward invariant. Let us focus on forward 
invariance, backward invariance being symmetric. 

Recall the definition: for all markings m,m’,m” and every transition t: if 
(m,m’) € [y] and m 24 m” then (m, m”) € [y]. Assume now that ¢ is in 
DNF, i.e., a disjunction of clauses y = p1 V: -V Pn. The forward invariance check 
can be decomposed into n smaller checks, one for each i € [1..n], of the form: 
if (m,m’) € [yi], then (m,m”) € [yp]. However, in general the check cannot 
be decomposed into local checks of the form: there exists j € [1..m] such that 
(m, m’) € [y;] implies (m, m”) € [y,]. Indeed, while this property is sufficient 
for forward invariance, it is not necessary. Intuitively, locally closed bi-separators 
are separators where invariance can be established by local checks. 

For the formal definition, we need to introduce some notations. Given a 
transition t and atomic propositions w, yw’, we say that a t-implies w’, written 
wv ev", if (m, m’) € [y] and m *4 m” implies (m, m”) € [w']. We further 
say that a clause Y = Y1 A+- -A^ Wm, t-implies a clause Y’ = Y1 A--- Awl, written 
Y ~ Y', if for every j € [1..n], there exists i € [1..m] such that pi ~>: Yj. 
Definition 4. A linear formula ọ is locally closed w.r.t. N = (P,T, F) if: 

— P = 91V: V Pn is quantifier-free, in DNF and homogeneous, 


— for every t E€ T and every i € [1..n], there exists j € [1..n] s.t. pi ~t Pj, 


— for every t € T" and every i € [1..n], there exists j € [1..n] s.t. pl ~ y! 
y J i 


j- 
Note that the definition is semantic. We make the straightforward but crucial 
observation that: 


Proposition 7. Locally closed formulas are bi-invariant. 


Proof. Let p = yi V +--+ V Pn be a locally closed formula. We only consider the 
forward case; the other case is symmetric. Let (m, m’) € [y] and m! & m”. 
Let i € [1..n] be such that (m, m’) € [y;]. Since ¢ is locally closed, there exists 
j € [1..n] such that y; ~+; y;. For every atomic proposition Y’ of p}, there exists 
an atomic proposition ~ of y; such that Y ~~; w’. Since each atomic proposition 
of y; is satisfied by (m, m’), we obtain (m, m”) € [y,]. 


Proposition 7 justifies the following definition: 
Definition 5. A locally closed bi-separator for (Msrc, Mtgt) is a locally closed 
formula — s.t. (Mere, Msre) € [e]; (Magi, Migt) € [y] and (Mere, Migt) ¢ lel. 


Indeed, by Proposition 7, a locally closed bi-separator is a bi-separator, as 
the bi-invariance condition of Definition 2 follows from local closedness. 


90 M. Blondin and J. Esparza 
5 Constructing locally closed bi-separators 


In this section, we prove that unreachability can always be witnessed by locally 
closed bi-separators of polynomial size and computable in polynomial time. The 
proof uses the results of Section 3. 


Theorem 2. [f Merc Au Megt, then there is a locally closed bi-separator p for 
(Merc, Migt) w.r.t. Ny. Further, p = Vi<icn Pi, where n < 2|U| +1 and each 
pi contains at most 2|U| +1 atomic propositions. Moreover, p is computable in 
polynomial time. 


Proof. We proceed by induction on |U]. First consider U = Q. Let p € P be such 
that Msrc(p) £ Mgt (p). Take v(m, m’) := epm < e,ym’ or —epm < —e,m’. 

Now, assume that U 4 Ø. Consider the system Jax € RT : Merc HEL = Migt ^ 
supp(a) C U. Suppose first that the system has no solution. By Proposition 4, 
taking S = @ and S’ = U, there is a linear exclusion function for (0, U), i.e. a 
linear function f satisfying: 


1. f (Mere) = f (meet), 
2. m > m implies f(m) < f(m’) for all u € U. 


(The first item holds due to Item 2 of Definition 3 and S = 9.) So we can take 
y(m,m') = (f(m) < f(m’)). 

Suppose now that the system has a solution æ € RẸ. By convexity, we 
can suppose that supp(a) C U is maximal. Indeed, if z’ and x” are solutions, 
then (1/2)a’ + (1/2)x” is a solution with support supp(a#’) U supp(æ”). Let 
U’ := supp(a). For every t € U \ U’, consider the system of Proposition 4 with 
S = {t} and S’ = U. By maximality of U’ C U, none of these systems has a 
solution. Consequently, for each t € U \U’, Proposition 4 yields a linear exclusion 
function for ({t}, U), i.e. a linear function f that satisfies: 


3. fil™Msre) > fi(™meet), 
4. m > m’ implies fi(m) < f;(m’) for all u € U, 
5. either fi(Msre) > ftl Migt), or m +m! implies f(m) < film’). 


If fi(Msrc) > ftl Migt) holds for some t € U \ U’, then we are done by taking 
(m, m') := (f(m) < fi(m')) as Item 4 ensures that y ~, y for every u E€ U. 
So assume it does not hold for any t € U \ U’, i.e. assume that ft(Msrc) = 
ft(Migt) holds, and the second disjunct of Item 5 holds for all t € U \ U’. This 
is the most involved case. Let 


Yinv(m,m’) = [\(film) < fi(m’)) and pi(m, m’) = (film) < fi(m')). 
tEU\U’ 


Let Q, R C P be respectively the maximal siphon and trap of Ny such that 
Msrc(Q) = 0 and Migt(R) = 0 (well-defined by closure under union). Let U” := 
U’\ (Q* U*R). By Theorem 1 and Proposition 2, Q°U®R 4 Ø. Thus, U” is a strict 
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subset of U’, and, by induction hypothesis, there is a locally closed bi-separator 
w.r.t. Nuv of the form Y = V1 <;<,, Yi that satisfies the claim for set U”. Let 


m’) = V gi(m,m’) V [vinv(m,m’) A m(Q) + m' (R) > 0] v 
IEUW \lpm(m, m’) A m(R) + m!(Q) < 0A wilm, m’). 


l<i<m 


As (Mgre; Msrc) E [Yinv] and (Merc, Msre) E€ [W], we have (Mere, Mere) € fol. 

Similarly, (mgt, Mgt) € [p]. By Item 3, (Msc, Megt) E rev v(m, m')]. 

Further, Msre(Q) + Mtgt(R) = 0 and (Merc, Mgt) E [Y]. So, (Mere, Mat) E [e]. 
The number of disjuncts of y is |U \ U’| +1-+m and hence at most 


JU\ U'|+1+2|0"|4+1< |U|-—|U"|+14+2|U"|+1= 
|U] + |U"| +2 < |U| + (U| —1)+2=2|U|+4+1. 


The same bounds holds for the number of atomic propositions per disjunct. 

It remains to show that y(m, m’) is locally closed w.r.t. Ny. We only consider 
the forward case, as the backward case is symmetric. Let (m, m’) € [y] and 
m’ “> m” for some u € U. By Item 4, y ~u yı holds for each y;,. Indeed, 
film) < film’) and m! 5 m” imply fi(m) < fi(m’) < fi(m"), and hence 
fi(m) < fi(m”). To handle the other clauses, we make a case distinction on u. 


— Case u € U\U'. Atomic proposition 6 = (fulm) < fu(m’)) of Yinv satisfies 
O +1, Pu. Indeed, if fulm) < fulm’) and m’ “> m”, then we have f,(m) < 
fulm’) by Item 5. 

— Case u € U’. By Item 4, each atomic proposition 0 of Yiny satisfies 0 ~>, 0. 

e Case u € °R. We have 6’ ~u (m(Q) + m'(R) > 0) for any atomic 
proposition 6’, since m’ “+ m” implies m” (R) > 0 (regardless of 6’). 

e Case u E€ Q°. If m’(Q) < 0, then u is disabled in m’. Thus, it only 
remains to handle 659 := (m(Q)+m’'(R) > 0). Since R is a trap of Nu’, 
firing u from m’ does not empty R, and hence #39 ~u Oso. 

e Case u € U". Let 0<o = (m(R) + m’(Q) < 0) and >o = (m(Q) + 
m' (R) > 0). Since Q and R are respectively a siphon and trap of Ny, we 
have <o ~u <o and >o ~u >o. Moreover, by induction hypothesis, 
for every i € [1..m], there exists j € [1..m] such that Y; >u Wy. 


We conclude the proof by observing that it is constructive and can be turned 
into Algorithm 1. The procedure works in polynomial time. Indeed, there are at 
most |U| recursive calls. Moreover, each set can be obtained in polynomial time 
via either linear programming or maximal siphons/traps computations [9]. 


Example 2. Let us apply the construction of Theorem 2 to the Petri net and 
the markings of Example 1: mg. = {pi > 2,p2 > 0,p3 > 0,p4 > 0} and 
Meet = {p1 > 0, p2 > 0,p3 œ> 1, p4 + 0}. The locally closed bi-separator is the 
formula y below, where the colored arrows represent the relations ~»4,,...,~>4,: 
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ty, te, t3, ta '(pa)| V 


[m(p,) (pa) 
(cit pa) < m (pa) A m(p4) + m'(p4) > 0] V = to, ts 
n> [m(pa) (pa) 2 
(pa) 


<m A m' (p1) + m (p2) > 0] V p w t3 


P4 
[m(p4) < m’ (p4) A m(p1) + m(p2) < 0A =m(p3) < —m!(p3)] S tts 


The forward separator U(m) := Y(Msrc, m) is, after simplifications, given by 
w(m) = m(p1) + m(p2) > 0 V m(p4) > 0. 
Similarly, we obtain this backward separator w’(m) := y(m, Migt ): 
y'(m) = m(pı) + m(p2) = 0 A m(ps) > 1 A m(p4) = 0. 


The backward separator ~’ provides a much simpler proof of Mgr. Æ Meg than 
the one of Example 1. The proof goes as follows: y’ is trivially backward invari- 
ant, because markings that only mark p3 do not backward-enable any transition. 
In particular, since Mtg; only marks p3, it can only be reached from mgt. 


Algorithm 1: Construction of a locally closed bi-sep. for (Msrc, Mgt): 


Input: N = (P,T, F), U CT and Merc, Migt € Q S.t. Msre A" Migt 
Output: A locally closed bi-separator w.r.t. Nu 

bi-separator(U) 

if U = then 

pick p € P such that msrc(p) £ Migt(p) 

return (am < am’) where a := sign(Msrc(p) — Mugt(p)) - Ep 
else 

b = Meet — Msrc 

X := {æ c€ RI : Fa =6,supp(x) C U} 

Ys = {y ER”: F'y >u 0,b'y < 0,b'y < P es(F'y)s} 


if X =@ then 
pick y € Yp and return (y'm < y'm’) 
else 


U' := {u € U : x(u) > 0 for some x € X} 
for t € U \ U’ do 
pick y: € Yra}; fe(m) = yim 
if ft(Msre) > fe(™migt) then return (f;(m) < fi(m')) 
Q := largest siphon of Ny such that msrc(Q) = 0 
R := largest trap of Ny: such that mig (R) = 0 
QPinv = Meeuw (film) < fi(m’)) 
pi V- V Ym t= bi-separator(U" \ (Q° U °R)) 
return Vieyyy Ye(m, M’) V [Pin (m, m) Am(Q) + m'(R) > 0] v 
Vi<icmlPinv(m,m’) A m(R) + m'(Q) < 0A Yi(m,m’)] 
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6 Checking locally closed bi-separators is in NC 


We show that the problem of deciding whether a given linear formula is a locally 
closed bi-separator is in NC. To do so, we provide a characterization of Y ~~; w for 
homogeneous atomic propositions 7 and 7’. We only focus on forward firability, 
as backward firability can be expressed as forward firability in the transpose 
Petri net. Recall that Y% ~~; Y’ holds iff the following holds: 


(m,m’) € |y] and m = m” imply (m, m") € [w’]. (*) 
Property (*) can be rephrased as: 
(m,m’) € [y] and m > a- A; imply (m, m +a- A;) € [y]. 


As we will see towards the end of the section, due to homogeneity, it actually 
suffices to consider the case where œ = 1, which yields this reformulation: 


{(m,m’) € [y] : m > Ap} C {(m,m’) : (m,m + 4) € YT}. 
X Y 


Therefore, testing Y ~; Y’ amounts to the inclusion check X C Y. Of course, 
if X = 9, then this is trivial. Hence, we will suppose that X Æ @, assuming for 
now that it can somehow be tested efficiently. In the forthcoming Propositions 8 
and 9, we will provide necessary and sufficient conditions for X C Y to hold. In 
Proposition 10, we will show that these conditions are testable in NC. Then, in 
Proposition 11, we will explain how to check whether X Æ Ø actually holds. 

For X C Y, we can characterize the case of atomic propositions Ņ that use 
“<” (rather than “<”) with a generalization of Farkas’ lemma: 


Proposition 8. Leta,a',l € R” and b' €R. Let X := {x E€ R” :az < 0^z> 
l} and Y := {x € R” :a'x < b'} be such that X # Ọ. It is the case that X CY 
iff there exists À > 0 such that àa > a' and —b' < (àa — a')l. 


We now give the conditions for all four combinations of “<” and “<”: 


Proposition 9. Let a,a’ € R”, b € R, l> 0 and ~,~ € {<,<}. Let Xn := 
{x >l: ax ~ 0} and Yu := {x € R” :a'x ~ b'} be such that X~ #9. It holds 
that X~ C Yu iff there exists À > 0 s.t. Aa > a! and one of the following holds: 


1. ~! =< and —b' < (àa — a')l; 

2. ~= <, ~! = <, and —b' < (Aa — a')l; 

3. ~= <, ~ = <, and either —b' < (àa — a')l or —b' = (àa — a')l ^à > 0. 
Proof. 


1. If~ = <, then it follows immediately from Proposition 8. Thus, assume ~ = 
<. We claim that X< C Y< iff X< C Y<. The validity of this claim concludes 
the proof of this case as we have handled ~ = < and as X< 2 X< #0. 
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Let us show the claim. It is clear that X< C Y< is implied by X< C Y<. So, 
we only have to show direction from left to right. For the sake of contradic- 
tion, suppose that X< C Y< and X< Z Y<. Let X= = X< \ X<. Note that 
Xe £0. Dorae Ke oa € X- \ Y<. We have a,x’ > l, ax < 0, az’ = 0, 
a'x =c < b' and a'x' = d > b' for some c,c' € R. In SO E b € [e,c’). 
Let e € (0,1] be such that b < ec + (1—e)c’. Let x” = ex + (1 — e)z’ 
Observe that æ” > l. Moreover, we have: 


ax" = cag + (1 — ejaz’ = eax <0, 


a'x" = ea'x + (1 — eja'x' = ec + (1 — ed >b. 


Therefore, we have x” € X< and x” ¢ Y<, which is a contradiction. 
, < Ss 


2. =>) Since X< C Ye, the system Ja: x >lAax < 0^a'x > b' has no 
solution. In matrix notation, the system corresponds to da : Ax < c where 


—I -l 
A:=]|a and c := 0 
—a' —b 


By Farkas’ lemma (Lemma 1), A'y = 0 and c'y < 0 for some y > 0. In 
other words, 


qz>0,A,N > 0: àa — Xa =z ANV < zl. 


Since z > 0, we have àa > Xa’ A—X'b' < (Aa— Xa')l. If A > 0, then we are 
done by dividing all terms by A’. For the sake of contradiction, suppose that 
AX = 0. This means that Aa > 0 and 0 < Aal. We necessarily have A > 0 and 
al > 0. Let x € X<. We have 0 > ax > al > 0, which is a contradiction. 


<=) Let x € X<. We have a's < b’ and hence æ € Y< as desired, since: 


—b' < (a—a’)l 
< (àa — a')x (by (Aa — a’) > 0 and x > l > 0) 
= \ax — d' £ 
< —a'x (by à > 0 and az < 0). 


3. The proof is similar albeit slightly more complicated. 


The conditions arising from Proposition 9 involve solving linear programs 
with one variable À. It is easy to see that this problem is in NC: 


Proposition 10. Given a,b E€ Q” and ~ € {<,<}", testing JIA > 0:aà ~b 
is in NC. 


Recall that at the beginning of the section we made the assumption that some 
pair (m, m’) € [y] is such that m’ enables a transition t. Checking whether this 
is actually true has a cost. Fortunately, we provide a simple characterization of 
enabledness which can checked in NC. Formally, we say that y enables t if there 
exists (m, m’) € [p] such that m’ a-enables t for some a > 0. We have: 
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Proposition 11. Let p (m, m’) := am ~ bm’ where a,b € R”. This holds: 


1. p< enables u iffa 20 orb £0, and 
2. p< enables u iff bA} > 0 or (bAÑ < 0A (a, —b) F (0,0)). 


Proof. 


1. =) Since ye enables u, we have [p<] 4 0. Let (m, m’) € [p<]. We have 
am < bm’. It cannot be that a > 0 and b < 0, as otherwise am > 0 > bm’. 


<) It suffices to give a pair (m, m’) € [p<] such that m’ > A}. Informally, 
if a has a negative value (resp. b has a positive value), then we can consider 
the pair (0, A, ) and “fix” the value on the left-hand-side (resp. right-hand 
side) so that y< is satisfied. More formally, if a(p) < 0, then (kep, AZ) € 
[p<] with k = (|bA,| + 1)/|a(p)|; if b(p) > 0, then (0, A7 + kep) € [p< 
with k = (|bA,| + 1)/b(p). 


2. The proof is similar albeit slightly more complicated. 


We can finally show that testing Y ~~; wv’ can be done in NC, for atomic 
propositions 7 and y’. In turn, this allows us to show that we can test in NC 
whether a linear formula is a locally closed bi-separator. 


Proposition 12. Given a Petri net N, a transition t and homogeneous atomic 
propositions ù and w', testing whether Y ~>, W can be done in NC. 


Proof. Recall that addition, subtraction, multiplication, division and comparison 
can be done in NC. Note that, by Proposition 11, we can check whether w enables 
t in NC. If it does, then we must test whether (m, m’) € |y] and m £5 m” 
implies (m, m”) € [W’]. We claim that this amounts to testing X C Y, where: 
X:={(m,m’) € RẸ x RẸ : (m, m’) € [y] and (m, m’) > (0, A; )}, 
Y = {(m, m") ERẸ x RP: (m, m' + 4+) € [W]. 


Let us prove this claim. 

=) Let (m, m’) € X. We have (m, m’) € [y] and (m, m’) > (0, A; ). Thus 
m ++ m + 4. By assumption, (m, m’ + 4+) € [4], and hence (m, m’) € Y. 

<) Let (m, m’) € [y] and m’ 2, m". We have m’ > a^; and m” = 
m’' + aA;. Let k := m/a, k' = m'/a and k” := m” /a. As a > 0 and w 
is homogeneous, we have (k, k’) € [y], (k,k’) > (0, A; ) and k” = k' + Aj. 
Thus, (k, k’) € X C Y. By definition of Y, this means that (k, k”) € [y]. By 
homogeneity, we conclude that (m, m”) € [w’]. 

Now that we have shown the claim, let us explain how to check whether 
X C Y in NC. Note that X Æ @ since 7 enables t. Thus, by Proposition 9, 
testing X C Y amounts to solving a linear program in one variable. For example, 
ify = (a-(m,m’) < 0) and y’ = (a’-(m,m’) < 0), then we must check whether 
this system has a solution: 


JA > 0: Aa > d' ^a- (0,4) < (àa — a’) - (0, 47). 


Thus, by Proposition 10, testing X C Y can be done in NC. 
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Theorem 3. Given N = (P,T,F), Mere, Migi € QX and a formula ọ, testing 
whether ọ is a locally closed bi-separator for (Msrc, Migt) can be done in NC. 


Proof. Recall that y = y1 V---V Yn must be in DNF with homogeneous atomic 
propositions. As arithmetic belongs in NC and y is in DNF, we can test whether 
(Merc, Msrc) E€ [p], (Mest, Meet) € [y] and (Merc, Mgt) ¢ [y] in NC by evalu- 
ating y in parallel. We can further test whether ¢ is locally closed by checking 
the following (which is simply the definition of “locally closed” ): 


AV AV CA A VA V ome 


—teT jEfl.n] peyi p Epi teT! JEl[l..n] YEpi y Epi 
iE[1..n] ie{l..n] 


By Proposition 12, each test 7 ~>; ~’ can be carried in NC. Therefore, we can 
perform all of them in parallel. Note that we do not have to explicitly compute 
the transpose of transitions and formulas; we can simply swap arguments. 


Remark 1. Testing whether y is locally closed is even simpler if the tester is also 
given annotations indicating for every clause y; and transition t which clause pj 
is supposed to satisfy y; ~+ pj. This mapping is a byproduct of the procedure 
to compute a locally closed bi-separator, and so comes at no cost. 


7 Bi-separators for set-to-set unreachability 


In most applications, one does not have to prove unreachability of one mark- 
ing, but rather of a set of markings, usually defined by means of some simple 
linear constraints. We show that our approach can be extended to “set-to-set 
reachability”, i.e. queries of the form Amero E A,Mtgt E B : Mere >* Megt, 
which we denote by A —* B. We focus on the case where sets A and B are 
described by conjunctions of atomic propositions; in other words, A and B are 
convex polytopes defined as intersections of half-spaces. In particular, this in- 
cludes “coverability” queries which are important in practice, i.e. where A is a 
singleton and B is of the form {m : m > b}. More generally, our approach can 
directly be adapted to convex linear Horn constraints, which is a fragment of lin- 
ear arithmetic that extends linear programs and that captures the expressiveness 
of continuous Petri nets [6]. 

As shown in [6, Lem. 3.7], given an atomic proposition 7 = (ax ~ b), one 
can construct (in logarithmic space) a Petri net My and some y € {0,1}° such 
that w(a) holds iff (x,y) —* (0,0) in My. The idea—depicted in Figure 2, 
which is adapted from [6, Fig. 1])—is simply to cancel out positive and negative 
coefficients of ~. It is straightforward to adapt this construction to a conjunction 
Aicicr be(@) of atomic propositions. Indeed, it suffices to make k copies of the 
gadget, but where places {p1,..., Pn} and transitions {t;,...,tn} are shared. In 
this more general setting, t; consumes from p; and simultaneously spawns the 
respective coefficient to each copy. In summary, the following holds: 
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Fig. 2. Petri net for y(x) = (a1 -£1 +---+@n-%n > c) where a1, a2,c > 0 and an < 0. 


Proposition 13. Given a conjunction of atomic propositions y, it is possible to 
construct, in logarithmic space, a Petri net Nz and y € {0,1}°* such that p(x) 
holds iff (x,y) >* (0,0) in Nọ. 


With the previous construction in mind, we can reformulate any set-to-set 
reachability query into a standard (“marking-to-marking” ) reachability query. 


Proposition 14. Given a Petri net N and convex polytopes A and B described 
as conjunctions of atomic propositions, one can construct, in log. space, a Petri 
net N” and markings More and Mig: s-t. A >* B in N iff Mere >* Migi in N”. 


Proof. Let N = (P,T,F_,F}) where P = {p1,..., Pn}. Let us describe N’ = 
(P',T', F_,F’,) with the help of Figure 3. The Petri net M” extends M as follows: 


— we add transitions {t1,...,tn} whose purpose is to nondeterministically 
guess an initial marking of M in P, and make a copy in P’ := {pj,...,p/,}; 

— we add a gadget, obtained from Proposition 13, to test whether the marking 
in P’ belongs to A; and we add a gadget, obtained from Proposition 13, to 
test whether the marking in P belongs to B. 


Fig. 3. Reduction from set-to-set reachability to (marking-to-marking) reachability. 
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The Petri net M” is intended to work sequentially as follows: (1) guess the 
initial marking m of M; (2) execute V on m and reach a marking m’; and (3) test 
whether m € A and m’ € B. If N’ follows this order, then it is straightforward 
to see that A >* B in N iff (0,0, y, y’) >* (0,0,0,0) in NV’, where y and y’ are 
obtained from Proposition 13. However, N” may interleave the different phases.* 
Nonetheless, this is not problematic, as any run of M’ can be reordered in such 
a way that all three phases are consecutive. Indeed, phase (1) only produces 
tokens in P U P’, and phase (3) only consumes tokens from PU P’. 


As a consequence of Proposition 14, combined with Theorems 2 and 3, we 
obtain the following corollary: 


Corollary 1. A negative answer to a convex polytope query A —* B is wit- 
nessed by a locally closed bi-separator computable in polynomial time and check- 
able in NC. 


8 Conclusion 


We have shown that continuous Petri nets admit locally closed bi-separators that 
can be efficiently computed. These separators are succinct and very efficiently 
checkable certificates of unreachability. In particular, checking that a linear for- 
mula is a locally closed bi-separator is in NC, and only requires to solve linear 
inequations in one variable over the nonnegative reals. 

Verification tools that have not been formally verified, or rely (as is usu- 
ally the case) on external packages for linear arithmetic, can apply our results 
to provide certificates for their output. Further, our separators can be used as 
explanations of why a certain marking is unreachable. Obtaining minimal expla- 
nations is an interesting research avenue. 

From a logical point of view, separators are very closely related to inter- 
polants for linear arithmetic, which are widely used in formal verification to 
refine abstractions in the CEGAR approach [3,17,18,1]. We intend to explore 
whether they can constitute the basis of a CEGAR approach for the verification 
of continuous Petri nets. 


Acknowledgments. We thank the anonymous referees for their comments, and 
in particular for suggesting a more intuitive definition of bi-separator. 


References 


1. Althaus, E., Beber, B., Kupilas, J., Scholl, C.: Improving interpolants for linear 
arithmetic. In: Proc. 13" International on Automated Technology for Verification 
and Analysis (ATVA). pp. 48-63 (2015). https://doi.org/10.1007/978-3-319-24953- 
75 


4 Tt is tempting to implement a lock, but this only works under discrete semantics. 


10. 


11. 


12. 


13. 


14. 


15. 


16. 


17. 


Separators in Continuous Petri Nets 99 


. Baumann, P., Majumdar, R., Thinniyam, R.S., Zetzsche, G.: Context-bounded 


verification of liveness properties for multithreaded shared-memory programs. Pro- 
ceedings of the ACM on Programming Languages (PACMPL) 5, 1-31 (2021). 
https: //doi.org/10.1145/3434325 


. Beyer, D., Zufferey, D., Majumdar, R.: Csisat: Interpolation for LA+EUF. In: 


Proc. 20'" International Conference on Computer Aided Verification (CAV). pp. 
304-308 (2008). https: //doi.org/10.1007/978-3-540-70545-1_29 


. Blondin, M., Esparza, J., Helfrich, M., Kucera, A., Meyer, P.J.: Checking qualita- 


tive liveness properties of replicated systems with stochastic scheduling. In: Proc. 
32°¢ International Conference on Computer Aided Verification (CAV). vol. 12225, 
pp. 372-397 (2020). https: //doi.org/10.1007/978-3-030-53291-8_20 


. Blondin, M., Finkel, A., Haase, C., Haddad, S.: The logical view on continuous 


Petri nets. ACM Transactions on Computational Logic (TOCL) 18(3), 24:1-24:28 
(2017). https: //doi.org/10.1145/3105908 


. Blondin, M., Haase, C.: Logics for continuous reachability in Petri nets 


and vector addition systems with states. In: Proc. 32” Annual ACM/IEEE 
Symposium on Logic in Computer Science (LICS). pp. 1-12 (2017). 
https: //doi.org/10.1109/LICS.2017.8005068 

Czerwinski, W., Orlikowski, L.: Reachability in vector addition systems is 
Ackermann-complete. In: Proc. 62" Annual IEEE Symposium on Foundations 
of Computer Science (FOCS) (2021), to appear 

David, R., Alla, H.: Discrete, Continuous, and Hybrid Petri nets. Springer, 2 edn. 
(2010) 

Desel, J., Esparza, J.: Free choice Petri nets. No. 40, Cambridge University Press 
(1995) 

Esparza, J., Helfrich, M., Jaax, S., Meyer, P.J.: Peregrine 2.0: Explaining correct- 
ness of population protocols through stage graphs. In: Proc. 18‘ International 
Symposium on Automated Technology for Verification and Analysis (ATVA). vol. 
12302, pp. 550-556 (2020). https: //doi.org/10.1007/978-3-030-59152-6_32 

Feng, Y., Martins, R., Wang, Y., Dillig, I., Reps, T.W.: Component-based 
synthesis for complex APIs. In: Proc. 44°* ACM SIGPLAN Symposium on 
Principles of Programming Languages (POPL). pp. 599-612. ACM (2017). 
https: //doi.org/10.1145/3009837.3009851 

Fraca, E., Haddad, S.: Complexity analysis of continuous Petri nets. Fundamenta 
Informaticae 137(1), 1-28 (2015). https://doi.org/10.3233/F1-2015-1168 
German, S.M., Sistla, A.P.: Reasoning about systems with many processes. Journal 
of the ACM 39(3), 675-735 (1992). https: //doi.org/10.1145/146637.146681 
Leroux, J.: Vector addition systems reachability problem (A simpler solution). 
In: Turing-100 — The Alan Turing Centenary. vol. 10, pp. 214-228 (2012). 
https://doi.org/10.29007/bnx2 

Leroux, J.: The reachability problem for Petri nets is not primitive recursive. In: 
Proc. 62” Annual IEEE Symposium on Foundations of Computer Science (FOCS) 
(2021), to appear 

Leroux, J., Schmitz, S.: Reachability in vector addition systems is primitive- 
recursive in fixed dimension. In: Proc. 34°" Symposium on Logic in Computer 
Science (LICS). pp. 1-13 (2019). https://doi.org/10.1109/LICS.2019.8785796 
Rybalchenko, A., Sofronie-Stokkermans, V.: Constraint solving for inter- 
polation. Journal of Symbolic Computation 45(11), 1212-1233 (2010). 
https: //doi.org/10.1016/j.jsc.2010.06.005 


100 M. Blondin and J. Esparza 


18. Scholl, C., Pigorsch, F., Disch, S., Althaus, E.: Simple interpolants for linear arith- 
metic. In: Proc. Conference & Exhibition on Design, Automation & Test in Europe 
(DATE). pp. 1-6 (2014). https://doi.org/10.7873/DATE.2014.128 


Open Access This chapter is licensed under the terms of the Creative Commons 
Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), 
which permits use, sharing, adaptation, distribution and reproduction in any medium 
or format, as long as you give appropriate credit to the original author(s) and the 
source, provide a link to the Creative Commons license and indicate if changes were 
made. 

The images or other third party material in this chapter are included in the chapter’s 
Creative Commons license, unless indicated otherwise in a credit line to the material. If 
material is not included in the chapter’s Creative Commons license and your intended 
use is not permitted by statutory regulation or exceeds the permitted use, you will need 
to obtain permission directly from the copyright holder. 


Graphical Piecewise-Linear Algebra 


Guillaume Boisseau!® & and Robin Piedeleu2® 


1 University of Oxford, Oxford, UK guillaume.boisseau@cs.ox.ac.uk 
? University College London, London, UK r.piedeleu@ucl.ac.uk 


Abstract. Graphical (Linear) Algebra is a family of diagrammatic lan- 
guages allowing to reason about different kinds of subsets of vector spaces 
compositionally. It has been used to model various application domains, 
from signal-flow graphs to Petri nets and electrical circuits. In this paper, 
we introduce to the family its most expressive member to date: Graphi- 
cal Piecewise-Linear Algebra, a new language to specify piecewise-linear 
subsets of vector spaces. 

Like the previous members of the family, it comes with a complete ax- 
iomatisation, which means it can be used to reason about the correspond- 
ing semantic domain purely equationally, forgetting the set-theoretic 
interpretation. We show completeness using a single axiom on top of 
Graphical Polyhedral Algebra, and show that this extension is the small- 
est that can capture a variety of relevant constructs. 

Finally, we showcase its use by modelling the behaviour of stateless elec- 
tronic circuits of ideal elements, a domain that had remained outside the 
remit of previous diagrammatic languages. 


Keywords: string diagrams - piecewise-linear - prop - axiomatisation 


1 Introduction 


Functional thinking underpins most scientific models. Nature, however, does 
not distinguish inputs and outputs—physical systems are governed by laws that 
merely express relations between their observable variables. While influential 
scientists, like the famous control theorist J. Willems, have pointed out the 
blind spots of functional thinking [11], it has remained the dominant paradigm 
in science and engineering. Arguably, our mathematical practice, especially the 
foundational emphasis on sets and functions, and the limitations of standard al- 
gebraic syntax, are partially to blame for the persistence of this status quo. But 
there are also alternative approaches, that take relations seriously as the primi- 
tive building blocks of our mathematical models. Category theory in particular 
is agnostic about what constitutes a morphism and can accommodate relations 
as easily as functions. 

Relations, with their usual composition and the cartesian product of sets, 
form a monoidal category—a category in which morphisms can be composed 
in two different ways. As a result, they admit a natural two-dimensional syn- 
tax of string diagrams. This notation has several advantages when it comes to 
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reasoning about open and interconnected systems [1]: string diagrams naturally 
keep track of structural properties, such as interconnectivity; they factor out 
irrelevant topological information that standard algebraic syntax needs to keep 
explicit; variable-sharing—the relational form of composition for systems—is de- 
picted simply by wiring different components together. 

As a result, a wealth of recent developments in computer science and be- 
yond have adopted relations and their diagrammatic notation as a unifying lan- 
guage to reason about a broad range of systems, from electrical circuits to Petri 
nets [2,6,5]. Many of these follow the same methodology. 1) Given a class of 
systems, find a set of diagrammatic generators from which any system can be 
specified, using the two available forms of composition. 2) Interpret each of them 
as a relation between the observable variables of the system that they describe. 
This defines a structure-preserving mapping—a monoidal functor—from the di- 
agrammatic syntax to the semantics, from the two-dimensional representation 
of a system to its behaviour. 3) Finally, identify a convenient set of equations 
between diagrams, from which any semantic equality between the behaviour of 
the corresponding systems may be derived. 

Graphical linear algebra (GLA) is a paradigmatic example of this approach. 
It provides a diagrammatic syntax to reason compositionally about different 
types of linear dynamical systems (including for instance traditional signal flow 
graphs) and prove their behavioural equivalence purely diagrammatically. The 
syntax of GLA is generated by the following primitive components: 


< |—| =|| =| zl- (eK) 


As relations, the black nodes force all of their ports to share the same value; the 
white nodes constrain their left ports and the right ports to sum to the same value 
(or to zero when there are no left/right ports); the final generator, parameterised 
by an element of the chosen field K, behaves as an amplifier: its right value is 
x times the left value. Following point 3) of the methodology sketched above, 
GLA enjoys a sound and complete equational theory for the specified semantics, 
called the theory of Interacting Hopf Algebras (IH). In summary, string diagrams 
with n ports on the left and m ports on the right, quotiented by the axioms of 
IH, are precisely linear relations, i.e., linear subspaces of K” x K™. 

GLA was the starting point of different extensions, two of which play a 
prominent role in this paper. First, Graphical Affine Algebra, which adds to 
the syntax a generator — for the constant 1. This allows it to express affine 
relations, i.e. affine subspaces of K” x K™. A corresponding complete equational 
theory was presented in [6]. Then, Graphical Polyhedral Algebra (GPA), which 
assumes that K is an ordered field and adds a generator >} for this order. The 
resulting graphical calculus can express all polyhedral relations, i.e., polyhedra? 
in K” x K”, and also comes with its own complete axiomatisation. 

In this paper, we define the most expressive member of the GLA family tree 
to date: Graphical Piecewise-Linear Algebra (GPLA) is a hybrid of symbolic and 


3 For the case of R, these include the usual polytopes, which are bounded subsets of 
R” x R”, as well as proper polyhedra, which may have unbounded faces. 
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diagrammatic syntax for piecewise-linear (pl) relations—finite unions of polyhe- 
dra in K” x K™—and a corresponding complete equational theory. We argue 
below that the proposed language strikes a convincing balance between struc- 
ture and expressiveness. It is a simple extension of GPA [4], yet for K = R, it is 
sufficiently powerful to approximate any submanifold of R” arbitrarily closely. 

Furthermore, this extension completes a research program initiated in parallel 
with the birth of GLA [2,6,3]: its chief purpose was to give the informal graphical 
notation for electrical circuits a formal, compositional interpretation, with a 
corresponding equational theory. 

Until now however, the category-theoretic setting could only accommodate 
components with a linear (more precisely, affine) behaviour, such as resistors, 
inductors, capacitors, voltage and current sources. GPLA finally makes it possi- 
ble to reason equationally about electronic components, such as ideal diodes and 
transistors. Even when the idealised physical behaviour of these components is 
not necessarily piecewise-linear, GPLA is theoretically expressive enough to ap- 
proximate it as closely as necessary. Indeed, piecewise-linear approximations of 
transistor behaviour have been proposed to bypass the unavoidable abstraction 
leaks of purely digital circuits [9]. In this context, GPLA can serve as a form of 
abstract interpretation for electronic circuits, with adjustable precision to allow 
for the intended semantics to be as physically realistic as desired. Of course, 
in practice, working with large diagrams can be prohibitive. But this is a lim- 
itation shared by all members of the Graphical Algebra family, and developing 
convenient tools and techniques for diagrammatic reasoning is an active research 
area. Our main thrust is that piecewise-linearity provides the appropriate level 
of structure, where general relations are too flexible to come with a useful equa- 
tional theory, and linear relations are too rigid to accommodate diodes and other 
electronic components. 

Finally, a remark about syntax. While it is possible to make the language 
purely diagrammatic, we found that what one gains in purity one loses in com- 
plexity. Ultimately, the hybrid syntax of union and diagrams is more convenient 
to manipulate and intuitive to read. In fact, this is not the first time that sums of 
diagrams appear in the literature [8]. Nevertheless, one of our central technical 
contributions is the rigorous definition of a syntax blending diagrams and binary 
joins, and the corresponding notion of equational theory. 


Outline. In Section 2 we recall the necessary mathematical background, the fun- 
damentals of diagrammatic syntax, and the language of Graphical Polyhedral 
Algebra (GPA). In Section 3, we extend the diagrammatic syntax with unions 
and define the notion of symmetric monoidal semi-lattice theory. From there, 
in Section 4, we extend GPA with unions, to capture piecewise-linear relations, 
and give this new language a theory that we prove is complete (Theorem 2). 
This is our main technical contribution. In Section 5, we explore alternative 
languages for piecewise-linear relations, and show that they are all equally ex- 
pressive. Finally, in Section 6, we extend the compositional re-interpretation of 
electrical circuits from [3] to include electronic components, namely diodes and 
transistors. 
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2 Preliminaries 


Informally, our starting point is a simple diagrammatic language of circuits built 
from the following generators: 


|| |e] | | zll- lHo- (ERK) (1) 


We will explain how these basic components can be wired together and give 
them a formal interpretation. 


2.1 Props and Symmetric Monoidal Theories 


The mathematical backbone of our approach is the notion of product and per- 
mutations category (prop), a structure which generalises standard algebraic the- 
ories |7]. Formally, a prop is a strict symmetric monoidal category (SMC) whose 
objects are the natural numbers and where the monoidal product © on ob- 
jects is given by addition. Equivalently, it is a strict SMC whose objects are 
all monoidal products of a single generating object. Prop morphisms are strict 
symmetric monoidal functors that act as the identity on objects. 

Following an established methodology, we will define two props: Syn and 
Sem, for the syntax and semantics respectively. To guarantee a compositional 
interpretation, we require [-] : Syn —> Sem, the mapping of terms to their 
intended semantics, to be a prop morphism. 

Typically, the syntactic prop Syn is freely generated from a monoidal signa- 
ture X, i.e. a set of arrows g : m —> n. In this case, we use the notation PX and 
Syn interchangeably. Morphisms of PX are terms of an (N,N)-sorted syntax, 
whose constants are elements of X and whose operations are the usual compo- 
sition (—); (—) : Syn(n,m) x Syn(m, l) > Syn(n,l) and the monoidal product 
(—) 6 (—) : Syn(niı, mı) x Syn(nz2, m2) > Syn(nı + n2, Mı + M2), quotiented 
by the laws of SMCs. But this quotient is cumbersome and unintuitive to work 
with. 

This is why we will prefer a different representation. With their two forms 
of composition, monoidal categories admit a natural two-dimensional graphical 
notation of string diagrams. The idea is that an arrow c : n + m of PX is better 
represented as a box with n ordered wires on the left and m on the left. We 
can compose these diagrams in two different ways: horizontally, by connecting 
the right wires of one diagram to the left wires of another, and vertically by 
juxtaposing two diagrams: 


ny 


n m l 
c;d= dı ® d2 = n = 


where the labelled wire —” is syntactic sugar for a stack of n wires. The identity 
id, : 1 > 1 is denoted as a plain wire —, the unit for ©, idp : 0 —> 0, as the empty 


diagram _, and when the category is symmetric, the symmetry 0), : 2 + 2 is 
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denoted as a wire crossing X. With this representation the laws of SMCs become 
diagrammatic tautologies. 

Once we have defined [-] : Syn — Sem, it is natural to look for equations 
to reason about semantic equality directly on the diagrams themselves. Given 
a set of equations EF, i.e., a set containing pairs of arrows of the same type, we 
write = for the smallest congruence wrt the two composition operations ; and 
®. We say that = is sound if c = d implies |c] = [d]. It is moreover complete 
when the converse implication holds. We call a pair (X, E) a symmetric monoidal 
theory (SMT) and we can form the prop P¥’;~ obtained by quotienting PX by 
=. There is then a prop morphism q: PX > PX /E Witnessing this quotient. 

We may also wonder what the expressive power of our diagrammatic language 
is. In terms of props we look to characterise precisely the image Im([-]) of the 
syntax via [-]. 

The situation for a sound and complete SMT is summarised in the commu- 
tative diagram below right. 


Soundness simply means that [-] fac- PX; —————- Im([-]) 
tors as s o q through P22’), and com- ii s | 
pleteness means that s is a faithful prop 

morphism. Syn = PY —————> Sem 


[-] 
Typically, our semantic prop Sem will be (a subcategory of) the category of 
sets and relations. 


Definition 1. Let K be a field. Relg is the prop 


— whose arrows n > m are relations R C R” x K”, 

— with composition given by R; S = {(x,z) | dy. (x,y) E€ RA (y,z) € S}, for 
R:n>am, S: m—> l, and identity n > n the diagonal {(x,x) | x € K"}, 

— monoidal product given by 


Ri @ R = ey l o | (z1,91) € Ri A (z2, ya) € m} 


for Ry: nı > mı and Rə : n2 > Mo, 


— symmetry n+m —> m+n, the relation { (C) ; ei) | (x,y) E R” x Ke) : 


ax 


2.2 Ordered Props and Symmetric Monoidal Inequality Theories 


Our semantic prop—Relx—carries additional structure that we wish to lift to 
the syntax: as subsets of K” x K™, relations n + m can be ordered by inclusion. 
The corresponding structure is that of an ordered prop, a prop enriched over 
the category of posets, whose composition and monoidal product are monotone 
maps. 

If props can be presented by SMTs, ordered props can be presented by sym- 
metric monoidal inequality theories (SMIT). Formally, the data of a SMIT is 
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the same as that of a SMT: a signature X and a set I of pairs c,d: n —> m of 
P-arrows of the same type, that we now read as inequalities c < d. 

As for plain props, we can construct an ordered prop from a SMIT by building 
the free prop PX and passing to a quotient P2’,;. First, we build a preorder 
on each homset by closing J under ® and taking the reflexive and transitive 
closure of the resulting relation. Then, we obtain the free ordered prop P’/; by 
quotienting the resulting preorder by imposing anti-symmetry. 

SMITs subsume SMTs, since every SMT can be presented as a SMIT, by 
splitting each equation into two inequalities. We will refer to both simply as 
theories and their defining inequalities as axioms. When referring to a sound 
and complete theory, we will also use the term aziomatisation, as is standard in 
the literature. 


2.3 Graphical Polyhedral Algebra 


We now assume that K is an ordered field, that is, a field equipped with a 
total order > compatible with the field operations in the following sense: for all 
x,y,z € K, i) if x > y then z+z > y+z, and ii) if x > 0 and y > 0 then zy > 0. 

Following [4], from the generators in (1), we define a prop, give it a seman- 
tics in Relg, characterise the image of the semantic functor, and describe an 
axiomatisation for the specified semantics. 


— For X$ = {+ -, pe, —<C, -0, p—, 0 +, 2), 4 -(r € K)} 


define [-] : PX — Relg to be the prop morphism given by 


< ees —e] := {(x,e) | x € K} 


> |2EK e—] := {(¢,z) | « € K} 


(= 
og -ffen )) zver} ~o} := {(0,*)} 
pe =N): z+) lave o—] := {(¢,0)} 


[H] := {(z,k -x)| £ € K} for k €K 
[H>] ={(@y) EK xK |x >y} —] = {(¢,1)} 


— The image of PX by [-] is the prop whose arrows n > m are finitely 
generated polyhedra of K” x K™, i.e., subsets of the form 


fæ er xr" |A(7) 4020} 


for some matrix A and some vector b (see [4] for more details, in particular 
the appendix for the proof that these form a prop). 
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— IH provides an axiomatisation of polyhedral relations [4, Corollary 25]; it 
can be found in the first four blocks of Fig. 1. 


Example 1 (Duality). Two diagrams play a special role in this paper: the half 
turns eg€ and e, called cup and cap, respectively. Using these and X, we 
can build cups and caps for any number n of wires: es and ye. 

They allow us to associate a dual d? : n —> m to any diagram d: Mm >n 
by turning its left ports into right ports and vice-versa: 


Correspondingly, | d°? ] is the opposite relation, i.e. [d ] = {(y, x) | (x,y) € [d]}. 
We will use of a suggestive mirror notation to denote the dual of a given gener- 


ator: —<@} := ({~—)*?, = := (—)” and «| = ( [> J 


3 Symmetric Monoidal Semi-Lattice Theories 


There are several routes to describe piecewise-linear subsets of K”. In this paper 
we choose to equip our syntax with a primitive operation of join, in order to 
describe piecewise-linear sets as (finite) unions of polyhedra. In the same way 
that we moved from simple props to ordered props in Section 2.2, we now move 
to the setting of semi-lattice-enriched props. 

A U-prop is a prop enriched over the monoidal category of semi-lattices — 
partially-ordered sets with least upper bounds for any finite subset — and join- 
preserving maps, with the Cartesian product as monoidal product. In other 
words a U-prop is a prop whose homsets are semi-lattices, with composition and 
monoidal product themselves join-preserving. The paradigmatic example is Relx 
which is a U-prop with the union of relations as join. 

As we would like to incorporate binary joins into our syntax, we need a new 
description of the free U-prop Py» over a given signature X. 


— The arrows n > m of Py» are finite sets of arrows n > m of PX. We 
use capital letters C, D... to range over them. We will also abuse notation 
slightly, using c,d... to refer to singletons {c}, {d} ... and writing d1U- - ‘Ud, 
for the set {d1,...,d,}. The set can be empty, yielding the bottom of the 
semi-lattice. 

— The composition of C: n > m and D : m > Lis given by C; D = {c;d | 
c€ C,d € D} where c; d denotes composition in Ps. The identity over n is 
the singleton {idn}. 

— The monoidal product of Dı : nı > mı and Dz : no > Mə is given by 
Dı $ D2 = {di @ də | dı E€ Dı, d2 € Də} where dı ® dg is the monoidal 
product in Py». 

— For the enrichment, each homset PyX'(n,m) is a semi-lattice with union 
as join. By definition, composition and monoidal product distribute over 
union and define join-preserving maps (—); (—) : PuX’(n,m) x PuX'(m, 1) > 
Pu (n, 1) and (—)@(—) : PuX'(n1, m1) x PUX(n2, m2) > PUL'(n1 +n2, Mı + 
mə) 
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We now define a corresponding notion of theory for U-props. A symmetric 
monoidal (semi-)lattice theory (SMLT) is the data of a signature X and a set E of 
equations: formally the latter is a set of pairs (C, D) of arrows C, D : n > m from 
PX’. We will write the elements of E as equations of the form Uco ¢ = Ugep d- 
We now explain how to define a U-prop Pug from the data of an SMLT (X, E). 


As for SMTs, we can build the smallest congruence = wrt to ; and @, which 
equates the pairs in Æ. Then define Pug to be the quotient of PUX by =, 
That this is a well-defined U-prop follows again from the distributivity of the 
composition and monoidal product over unions. 

Note that the semi-lattice structure allows us to define an order over the 
homsets of any U-prop, making it into an ordered prop: we write C C Dasa 


shorthand for CU D = D. We will also use C Č D for CUD= Din PUXE. 
(We prefer this notation to avoid the confusion with the order > on K itself.) 


Remark 1 (Reasoning in U-props). The reader familiar with string diagrams and 
equational reasoning might be surprised by certain features of derivations that 
combine diagrammatic and traditional syntax (joins, in this case). We would 
like to clarify one particular point. When we want to use an equality of the 
form d = dı U də inside a term of the form cı U c2 Uc, we need to identify a 
linear context C[—] (i.e. the hole occurs exactly once in C) common to c1 and c2 
such that cı = C|dı] and cp = C[d2]. Then we are allowed to use the fact that 
C[d] = C|d1] U C[d2] to conclude that cy U c2 Uc = C[d] Uc. An example of this 
form of reasoning can be found in the proof of Lemma 2, which we reproduce 


here: we apply the equality = XK U H>} in 


Ge G ae. pe tes 


Note that, to clarify the common context to the reader, we will often use the 
intermediate notation C[d, U dz], as we did in the first step above. 


4 The Theory of Piecewise-Linear Relations 


4.1 Syntax and Semantics 


For piecewise-linear relations we retain the same signature YS and consider 
P\(2<), the free U-prop over it. As we saw, its morphisms are nonempty finite 
sets of diagrams of PXJ. This is our syntax. 

On the semantic side, we now need to extend the functor [-] to have PZF 
as domain, retaining Relg as codomain. Concretely, since we already know how 
to assign a relation to each diagram of PXJ, we only need to specify how to 
interpret finite sets of such diagrams: unsurprisingly, we set 


[{d,...,dn}J:=[daJU---Ula,] 
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This is join-preserving by construction, and remains monoidal and functorial. 

By definition, we call piecewise-linear (pl) any relation in the image of this 
functor, i.e., any relation that is a finite union of polyhedral relations. As far 
as we know, this is the first time that this notion appears in print. However, it 
does capture our intuitive notion of piecewise-linearity as submanifolds of K” 
that can be subdivided into linear subspaces. 


4.2 Equational Theory 


IHpz, the SMLT of pl relations, is presented in Fig. 1. The first block is the theory 
of matrices/linear maps; the second block, IH, axiomatises all linear relations; the 
third block axiomatises the behaviour of the order ~>}; the fourth, deals with 
the affine fragment of the theory, axiomatising the behaviour of the constant —. 
Taken together, those four blocks constitute IHË, an axiomatisation of polyhedral 
relations—we refer the reader to [4] for more details on this fragment. 

The key addition of IH pz is the last block, containing the axiom of totality, 
which states that any real number belongs to the non-negative or to the non- 
positive fragment of K. Remarkably, this simple axiom is the only one we need to 
add to IHF to obtain a complete theory for pl relations. Its soundness is simply 
a consequence of the definition of an ordered field: the order is assumed to be 
total in the sense that, for any x,y € K we have x < y or y < x. Take y = 0 to 
recover the last axiom of IH pz. 


Remark 2. As a consequence of the Frobenius laws (e-fr) and of (co)unitality 
(e-un)-(e-coun), the diagrams es and e satisfy 
n n 
ve Her n Hp o@ (3) 
ef on ne 

for any n, the defining equations of a compact closed category. Intuitively, these 
allow us to forget the direction of wires. In addition, compactness implies the 
following proposition. 


Hp IHpL 
Proposition 1. C C Diff C? C D®. 


Another important property of compact closed category which we will exploit 
to simplify the completeness proof is stated in the following proposition. It is an 
immediate consequence of (3). 


Hpz 


m Hpr m 
Proposition 2. Given C,D: m >n, C C Diff, G n 


4.3 Completeness Theorem 


As we stated above, the axioms in Fig. 1 form a complete theory for pl rela- 
tions. We will prove that claim in this section. Without loss of generality, using 
Proposition 2, we restrict to n — 0 diagrams. 

We start by defining appropriate normal forms for polyhedral and pl relations, 
and then show that every diagram can be reduced to normal form. 
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@-coas) 


Tai coco) 
DOH > on 


ree 


(o@-bi) (oe-biun)OQ—_ (eo-biun)—_@ (o@-bo) Renn 
DCI ae Oia TZ ote 
FE (add) EN (zero) —~ 
F >D D 
(dup) r (del) 
DCI e 
TH œ) PA Ee FFA D W eo 
© (e-frl) > <" -fr2) € <> (e-sp) (e-bo) p= 
7 =n o 3 S (e-coco) oe 
O ENS ai fr2) q {L> (o-sp) (ebo): 
an E oe (0-coco) cs CO oe 
DEG (r-inv) (r-coinv) D (r £0) 
a (cup-1) og tet (cap-1) do pe ae 
(<dup) >} (<add) 4> (<del) (Szero) 
BC "4 >p=” > Dee o “Cog 
H “EH  (r > 0) D (r<0) 
By (antisym) ~> >} (Riesz) z (rect) 
(1-dup) /— (1-del) p777; KO (2) KO (0 < 1) 
a — oo Bakes ee OG z 


š (total) oF] 


Fig. 1. Axioms of GPLA. 
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Definition 2. We call hyperplane a nonzero affine map H : n — 1 which we 
write {H}. A given hyperplane H defines two half-spaces {H}{>)o and H)\<}o, 
as well as an affine subspace {H)o. Since inequality is not strict, the half-spaces 
include the affine subspace. 


In [4, Theorem 14], polyhedral relations have a normal form given by a set of 
inequations of the form A;a+b; > 0. In other words, the normal form is given by 
an intersection of half-spaces. For our purposes we define a related but slightly 
different normal form. 


Definition 3. A PX -diagram d: n — 0 is in polyhedral normal form if there 


are hyperplanes H; and diagrams (ai) { 0, 4{>)0, {K Lo} such that: 


Where the d; are minimal in the following sense: fixing the set of hyperplanes 
H;, we consider all choices of d; that give d when composed as above. We then 
require the di in the normal form to be minimal (wrt the order of IHF) among 
those. We call the set of the d; a valuation for d relative to the hyperplanes H;. 


Definition 4. We say that a morphism D of Puss is in pl normal form if it is 
written as a non-empty union of diagrams d; each in the language of PLS (i.e. 
without unions), the d; are in the normal form defined in Definition 3, and all 
the normal forms use the same set of hyperplanes. 


Lemma 1. Every d: n— 0 in PES has a polyhedral normal form. 


Proof. The normal form from |4, Theorem 14] already has the right shape. We 
only need to find a minimal valuation. Observe that the intersection of two 
valuations for d is again a valuation for d: let v and v’ be two valuations 


[Ho)— 
for d relative to the hyperplanes H;. If we write AA) := =e -» then 


EDS 
ro" Goo" 4 


Therefore v N v’ is again a valuation for d. Since there are finitely many 
valuations, we construct the minimal one by intersecting them all. 


Lemma 2. If a morphism D of Puls is in pl normal form and H is a hyper- 


plane, there exists C in pl normal form such that D "2 O and Hyperplanes(C’) = 
Hyperplanes(D) U {H}. 


Proof. We write the normal form of D as D = |; d;. Define C to be the following 


morphism: 
-0-UY po" ET 


112 G. Boisseau and R. Piedeleu 


We transform C into C’ by reducing all the terms in the union to polyhe- 
dral normal form. This makes C” be in pl normal form. Since we add the same 
hyperplane H to all d;, Hyperplanes(C’) = Hyperplanes(D) U {H}. 

Moreover: 


me UO) a 
OO cite a 


Theorem 1. Every morphism of Py dt has a pl normal form. 


Proof. Let D be a n — 0 morphism of PUSS. First using distributivity of the 
union over sequential and parallel composition, we move all the uses of the union 
to the top-level. 

Thus D is written U; di where each d; doesn’t use the union, i.e. is in the 
language of Pt. We then rewrite each d; into polyhedral normal form using 
Lemma 1. E 

Each d; is thus also individually in pl normal form, so we can use Lemma 2 to 
add to each d; all the hyperplanes of the other dj. For each 7 we get a new diagram 


d, "2" d; in pl normal form, and all the d’! use the same set of hyperplanes. So 
U; d; is a pl normal form for D. 


Before we can prove completeness, we need a final notion: the interior of a 
polyhedral relation, which is the set of its points that don’t touch any of its 
faces. 


Definition 5. Let d be morphism in polyhedral normal form. We define Int(d) 
to be the set of points x € |d] for which H;(x) 4 0 when # —o. In other 
words, H;(x) is nonzero for all hyperplanes where it can be nonzero without x 
leaving [d]. 


Note that we define Int only on polyhedral normal form diagrams. Int appears 
to be representation-independent at least when K = R, but we won’t try to prove 
it in the general case as we don’t need this here. 


Remark 3. This is not the usual topological notion of interior. In particular, this 
notion is independent from the dimension of the surrounding space: a polyhedron 
of dimension 0 < k < n within R” has an empty topological interior but a 
nonempty Int, as we’ll see in the next theorem. Int(d) instead coincides with the 
interior of d with the topology of the smallest containing affine space. 


Lemma 3. Let d be a diagram in polyhedral normal form. If |d] is nonempty, 
then Int(d) is nonempty. 


Proof. First, write d in polyhedral normal form: 


DG) 
Ea A © 
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Up to negating some of the H;, we can assume that none of the are —<}o. 
If Vi.—(i) = —o, then by definition Int(d) = [d] which is nonempty so we’re 
done. Assume then that a) = -{>)o for at least some i. For each such i, by 
minimality of the d; in the normal form there must be a z; € [d] such that 
H;(x;) > 0. We pick such an z; for each i, and define x := oy x; to be their 
average. By convexity, x € |d]. H; is an affine map, hence is concave, thus if 
we had picked an x; then H;(x) > ear H,(x;) > 3 Hi(z:) > 0. Then for each 7 
either = —o or H;(x) > 0, hence z € Int(d). 


H 
Theorem 2 (Completeness). [|D] C[C] DCC 


Proof. Using Proposition 2 we can without loss of generality assume that D and 
C have n inputs and 0 outputs. Using Theorem 1, we reduce D and C into pl 
normal form. Using Lemma 2, we add each others’ hyperplanes to D and C so 
that they both use the exact same set. So D = |J; d; and C = |; ci, where the d; 
and c; are in polyhedral normal form and use a same set of hyperplanes {H;}j. 
Pick one of the d; in D. 

If d; is the empty polyhedron, we have | di] =Ø C [co], so by completeness 


+ 
n Hpr Hp 


> 
of IHF we get di C co. Thus d;i C co C C. 
Otherwise d; is nonempty, and using Lemma 3 we pick x € Int(d;). Then: 


z € nt(d) fa] C IPIE IC} =|Ue| =Ulel 


Thus there is a j such that x € [c;]. Now pick a k. If Laa) = —o, then 


ka regardless of En). If = -[>)o, then by definition of 


Int(d;), we have H;,(x) > 0. Since moreover x € [ c;], Len) must be ->)o. If 


= +<}o, similarly Cir) must be -<}o. In all three cases, WE Hen). 


This is the case for every k, so: 


-® - 23 «+~BS--os-e 


Hpi 


IH I 
Finally, since we have d; € C for all i, we derive D = |J; d;i © ©. 


5 Generating Piecewise-Linear Relations 


Piecewise-linear subsets of vector spaces give us a rather wide semantic space to 
explore. One might suspect that there exist useful structured relations that live 
strictly between the linear and piecewise-linear worlds. 
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Formally, we’re interested in finding sub-props of Relg that contain not only 
linear or polyhedral relations, but some selected non-convex relations that would 
be useful for particular applications. It turns out that for many sensible choices, 
the resulting image will coincide with pl relations—a somewhat surprising fact. 
Note that we are interested in generating sub-props of Relg here, not U-props, 
since the U-prop generated by the image of PUY under [-] already contains 
all pl relations. E 

We will go through a few natural choices, each time defining them as a term 
of PUSS, a shortcut which makes reasoning about them much easier than with 
their set-theoretic semantics. Of course, their semantics in Relg can be recovered 
via | -]. 


5.1 The n-Fold Union Generators 


We first show that the main difference between polyhedral and pl relations —the 
unions—can be bridged. Indeed, it is not obvious that we can build arbitrary 
unions of diagrams without having access to the syntax of a SMLT. For this we 
introduce a family of diagrams we call the n-fold union generators, defined for a 


given n as: 
ig n 
eo 
eee 
n 


These generators suffice to reproduce the behaviour of the syntactic union: 


Theorem 3. The image of the free prop generated by IAS and the n-fold union 
generators for all n is the prop of pl relations. E 


Proof. If —@) and —(p) are non-empty n — 0 diagrams, 


n om © n O©_ 
XO TB)“ D) —© U -O 


Since every pl relation can be written as a finite union of diagrams in PLY 


and we can easily avoid diagrams denoting the empty relation, this generates all 
of pl relations. 


7 


This means that we didn’t formally need to introduce the notion of a SMLT 
after all: we could have defined an equivalent SMIT by adding these generators. 
However, this is for most purposes a much less convenient syntax, and the cor- 
responding equational theory would be more difficult to calculate with. This is 
also the case for the examples that follow. 


5.2 The Simplest Non-Convex Diagram 


The following is one of the simplest diagrams that captures a non-convex relation: 


ŒF = o e— U —è o 
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It is named after its semantics: the union of the x and y axes in the plane, 
corresponding to the simple equation x = 0 V y = 0. Despite its simplicity, it 
suffices to generate all of pl relations. 


Theorem 4. The image of the free prop generated by X and is the 
prop of pl relations. E 


> 
>Hi 

Proof. Define dup: 1 > 2: — < 
This diagram has the interesting property of duplicating black and white units: 

oL = 9 == 
ae ; +1 

hain it to build {aup := (a fi 
We can chain it to bui or any n 
tp =o 2 U? 


Then, let +E = (aup 
This allows us to build: 


n n 
Q 


n 
eo 
ae n— n 
g nE Ge n 
n 


n 
®© O 


5.3 The Semantics of a Diode 


Most basic electrical circuit components can be modelled U 

with an affine semantics. The first exception is the (ideal) 

diode: the idealised current-voltage semantics across a 

diode is that the current can be negative and the voltage I 
difference positive but not both at the same time. 


On a graph, the allowed (current, voltage difference) pairs are depicted above. 
Not only is this not affine, it is not even convex. The corresponding diagram, 
(<}o o— U—o 0} , is outside of both affine and polyhedral algebra. 

We will see how to model electrical circuits with diodes in more detail in the 
next section. We will focus here on the following fact: adding a generator with 
this semantics is once again enough to recover all pl relations. In fact we can 
even build the > relation from the diode, so we can start from affine algebra 
(without requiring the generality of polyhedral algebra). 

For convenience, we define a new generator whose semantics is the mirror 
image of the diode’s graph: 


(L) := {>}o o— U—o XS} 
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Theorem 5. Recall that X+ is DG without {>>}. The image of the free prop 
generated by X and L is the prop of pl relations. 


Proof. First, we can construct the > generator from L: 


(OP 2g? Pa SP iy ay 


So we generate all polyhedral relations. Then we can also recover the + gen- 
erator from the previous section, which is enough to generate all of pl relations: 


(L) Do Do 
go Ca 


E aR A 


= —e o— U >}> o— U-K}o U —o è 
=—e o— U—o e— = {+} 


5.4 Alternative generators: maz, ReLu and abs 


Three of the most basic piecewise-linear functions one might come across are 
abs, max and ReLu. We define them diagrammatically as follows: 


max) = “EI U labs) = max 
= ra a D 
— ReLu)}— := 


While the reader will certainly be familiar with the first two, ReLu has ac- 
quired significant fame as one of the basic building blocks of neural networks. In 
fact, all neural networks whose activation function is ReLu can be represented in 
GPLA. This opens up the exciting possibility of applying equational reasoning 
to neural networks, a possibility that we leave for future work. 

Once again, adding either of them to the syntax for affine algebra suffices to 
construct any pl relation. 
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Theorem 6. The image of the free prop generated by St and any of max, abs 
or ReLu is the prop of pl relations. 


Proof. First, we notice that the three functions are inter-definable. abs and ReLu 
were already defined in terms of maz, and we can complete the cycle: 


maa(x,y) = x + maz(0,y — x) = x + ReLu(y — x) 


ReLu(x) = maz(0, x) = (x + abs(x))/2 


So we only need to show the result for one of them. Let’s pick max. We recover 


L, which we know suffices by Theorem 5. First DEX = Ae U H 
S] 


E ae 


Thus mao = > o—U—o 0G} = L) 
= 
Can 
Remark 4. It is standard that maz together with linear maps generates all con- 


tinuous pl functions. Our result can be seen as a generalization of this fact to 
the relational setting. 


5.5 Conclusion 


These examples justify the generality of pl relations: they constitute the min- 
imal extension of polyhedral algebra (and in some cases affine algebra) that 
can express any of the very useful relations above. This is interesting because 
pl relations form a nearly universal domain: they can approximate any smooth 
manifold over a bounded domain. 

Despite our compelling examples, there could still be interesting props be- 
tween polyhedral and pl relations. In particular, determining the prop generated 
by zt together with o— Ur is currently an open problem. 


6 Case Study: Electronic Circuits 


To illustrate how one would use this theory in a concrete case, we turn to the 
study of electronic circuits. We build on the work done in [3]. The syntax mimics 
the usual circuits drawn by electrical engineers, by generating a free two-colored 
prop from basic elements and wires. The blue wires are electrical wires, and the 
black wires carry information; for details see [3]. 


eee ee ae, ee ae ee, ee 


DA ey 


The corresponding physical model imposes constraints between two quanti- 
ties: current and voltage. To express this, we map an electrical wire into two 
GPLA wires, the top one for voltage and the bottom one for current. We then 
give to each generator a semantics in GPLA that expresses the relevant physical 
equations. For example: 
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The core of this approach is the fact that composition of constraints in GPLA 
gives the behaviour of the corresponding composite electrical circuit. We can thus 
define the semantics of a whole circuit compositionally, and get the physically 
expected result. 

So far this follows exactly [3]. Our contribution is the ability to express the 
behaviour of diodes: 


[IH] = “Su eb 
= (<Loo re) g re =T 


Remark 5. We cannot include capacitors and inductors, because they require se- 
mantics in IHi). and R(x) cannot be ordered in a way that would be consistent 
with the physics. Finding diagrammatic semantics that can accommodate both 
capacitors and diodes is an important open problem. 


This extension allows us to model electronic circuits! As hinted in the previous 
section, diodes by themselves can be used to build many things. For example, 
we can model a simple idealized transistor as follows: |10, Fig. 59.1] 


— ©) 

That said, it is impractical to prove the equality of two non-trivial electronic 

circuits explicitly as the number of alternatives grows exponentially in the num- 

ber of diodes. Like in standard mathematical practice, making this practical will 

require finding appropriate techniques and approximations, which we leave for 
future work. 
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Abstract. A nondeterministic automaton is history-deterministic if its 
nondeterminism can be resolved by only considering the prefix of the 
word read so far. Due to their good compositional properties, history- 
deterministic automata are useful in solving games and synthesis prob- 
lems. Deciding whether a given nondeterministic automaton is history- 
deterministic (the HDness problem) is generally a difficult task, which 
might involve an exponential procedure, or even be undecidable, for ex- 
ample for pushdown automata. Token games provide a P'TIME solution 
to the HDness problem of Biichi and coBiichi automata, and it is conjec- 
tured that 2-token games characterise HDness for all w-regular automata. 
We extend token games to the quantitative setting and analyze their po- 
tential to help deciding HDness for quantitative automata. In particular, 
we show that 1-token games characterise HDness for all quantitative (and 
Boolean) automata on finite words, as well as discounted-sum (DSum) 
automata on infinite words, and that 2-token games characterise HD- 
ness of LimInf and LimSup automata. Using these characterisations, we 
provide solutions to the HDness problem of Inf and Sup automata on 
finite words in PTIME, for DSum automata on finite and infinite words 
in NPnco-NP, for LimSup automata in quasipolynomial time, and for 
LimInf automata in exponential time, where the latter two are only poly- 
nomial for automata with a logarithmic number of weights. 


Keywords: Automata, History-determinism, Token games, Synthesis 


1 Introduction 


History-determinism. A nondeterministic [quantitative] automaton is history- 
deterministic (HD) [11,8] if its nondeterministic choices can be resolved by only 
considering the word read so far, uniformly across possible suffixes (see Fig. 2 
for examples of HD and non-HD automata). More precisely, there should be a 
function (strategy), sometimes called a resolver, that maps the finite prefixes of 
a word to the transition to be taken at the last letter. The run built in this way 
must, in the Boolean setting, be accepting whenever the word is in the language 
of the automaton, and in the more general, quantitative, setting, attain the value 
of the automaton on the word (i.e., the supremum of all its runs’ values). 


© The Author(s) 2022 
P. Bouyer and L. Schréder (Eds.): FoSSaCS 2022, LNCS 13242, pp. 120-139, 2022. 
https://doi.org/10.1007/978-3-030-99253-8_7 
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History-determinism lies in between determinism and nondeterminism, enjoy- 
ing in some aspects the best of both worlds: HD automata are, like deterministic 
ones, useful for solving games and reactive synthesis [16,11,17,18,12,15,8], yet 
can sometimes be more expressive and/or succinct. For example, HD coBiichi 
and LimInf automata can be exponentially more succinct than deterministic ones 
[19], and HD pushdown automata are both more expressive and at least exponen- 
tially more succinct than deterministic ones [20,15]. In the (w-)regular setting, 
history-determinism coincides with good-for-gameness [7], while in the quantita- 
tive setting it is stronger [8]. The problem of deciding whether a nondeterministic 
automaton is HD is interreducible with deciding the best-value synthesis problem 
of a deterministic automaton [14,8]. In this quantitative version of the reactive 
synthesis problem, the system must guarantee a behaviour that matches the 
value of any global behaviour compatible with the environment’s actions. The 
witness of HDness corresponds exactly to the solution system of this synthesis 
problem, providing another motivation for this line of research. 


Deciding history-determinism — a difficult task. History-determinism is formally 
defined by a letter game played on the automaton A between Adam and Eve, 
where Adam produces an input word w, letter by letter, and Eve tries to resolve 
the nondeterminism in A so that the resulting run attains A’s value on w. Then 
A is HD if Eve has a winning strategy in the letter game on it. The difficulty of 
deciding who wins the letter game stems from its complicated winning condition 
— Eve wins if her run has the value of the supremum over all runs of A on w. 

The naive solution is to determinise A into an automaton D, and consider 
a game equivalent to the letter game that has a simple winning condition and 
whose arena is the product of A and D [16]. The downside with this approach, 
however, is that it requires the determinisation of A, which often involves a 
procedure exponential in the size of A and sometimes is even impossible due to 
an expressiveness gap. Note that deciding whether an automaton is good-for- 
games, which is closely related to whether it is HD [7,8], is also difficult, as it 
requires reasoning about composition with all possible games. 


Token games — a possible aid. In [3], Bagnol and Kuperberg introduced token 
games on w-regular automata, which are closely related to the letter game, but 
easier to decide. In a k-token game on an automaton A, denoted by G;,(A), like 
in the letter game, Adam generates a word w letter by letter, and Eve builds 
a run on w by resolving the nondeterminism. In addition, Adam also has to 
resolve the nondeterminism of A to build & runs letter-by-letter over w. The 
winning condition for Eve in these games is that either all runs built by Adam 
are rejecting, or Eve’s run is accepting. Such games, as they compare concrete 
runs, are easier to solve than the letter game. 

Then, to decide HDness for a class of automata, one can attempt to show that 
the letter game always has the same winner as a k-token game, for some k, and 
solve the k-token game. (If Eve wins the letter game then she wins the k-token 
game, for every k, by using the same strategy, ignoring Adam’s runs. However, 


122 U. Boker and K. Lehtinen 


it might be that she wins a k-token game, taking advantage of her knowledge of 
how Adam resolves the nondeterminism, but loses the letter game.) 

Bagnol and Kuperberg showed in [3] that on Biichi automata, the letter game 
and the 2-token game always have the same winner, and in [6], Boker, Kuperberg, 
Lehtinen and Skrzypczak extended this result to coBtichi automata. In both 
cases, this allows for a PTIME procedure for deciding HDness. Furthermore, 
Bagnol and Kuperberg suggested in [3, Conclusion] that 2-token games might 
characterise HDness also for parity automata (and therefore for all w-regular 
automata); a conjecture (termed later the G2 conjecture) that is still open. 


Our contribution. We extend token games to the quantitative setting, and use 
them to decide HDness of some quantitative automata. We define a k-token game 
on a quantitative automaton exactly as on a Boolean one, except that Eve wins 
if her run has a value at least as high as all of Adam’s runs. 

We show first, in Section 4, that the 1-token game, in which Adam just 
has one run to build, characterises history-determinism for all quantitative (and 
Boolean) automata on finite words, and for discounted-sum (DSum) automata 
on infinite words. This results in a PTIME decision procedure for checking HD- 
ness of Inf and Sup automata on finite words, and an NPNCONP procedure for 
DSum automata on finite and infinite words. Note that the complexity for DSum 
automata on finite words was already known [14], but on infinite words it was 
erroneously believed to be NP-hard [17, Theorem 6]. 

Towards getting the above results, we analyse key properties of value func- 
tions of quantitative automata, and show that the 1-token game characterises 
HDness for every Val automaton, such that Val is present-focused (Definition 3), 
which is in particular the case for all Val automata on finite words [8, Lemma 
16], as well as DSum automata on infinite words [8, Lemma 22]. 

We then show, in Section 5, that the 2-token game, in which Adam builds two 
runs, characterises history-determinism for both LimSup and LimInf automata. 
The approach here is more involved: it decomposes the quantitative automaton 
into a collection of Biichi or coBiichi automata such that if Eve wins the 2-token 
game on the original automaton, she also wins in the component automata. Since 
the 2-token game characterises HD for Biichi and coBiichi automata, the com- 
ponent automata are then HD and the witness strategies can be combined with 
the 2-token strategy of the original automaton to build a letter-game strategy 
for Eve. The general flow of our approach is illustrated in Fig. 1. 

We further present, in Section 5.1, algorithms to decide the winner of the two- 
token games on LimlInf and LimSup automata via reductions to solving parity 
games. The complexity of the procedure for a LimSup automaton A is the same 
as that of solving a parity game of size polynomial in the size of A with twice as 
many priorities as there are weights in A, which is in quasipolynomial time. For 
LimInf automata the procedure is in exponential time. In both cases, it is only in 
polynomial time if the number of weights is logarithmic in the automaton size. 

For some variants of the synthesis problem, the complexity of the witness of 
history-determinism is also of particular interest (while for other variants it is 
not), as it corresponds to the complexity of the implementation of the solution 


Quantitative Automata Token Games 123 


system [8, Section 5]. We give an exponential upper bound to the complexity of 
the witness for LimSup and LimInf automata, which, for Limlnf, is tight. As a 
corollary, we obtain that HD LimSup automata are as expressive as deterministic 
LimSup automata and at most exponentially more succinct. 


Related work. In the w-regular setting (where HDness coincides with good-for- 
gameness), [16, Section 4] provides an exponential scheme for checking HDness of 
all w-regular automata, based on determinisation and checking fair simulation. 
HDness of Biichi automata is resolved, as mentioned above, in PTIME, using 
2-token games [3]. The coBiichi case is also resolved in PTIME, originally via an 
indirect usage of “joker games” [19], and later by using 2-token games [6]. 

In the quantitative setting, deciding HDness coincides with best-value par- 
tial domain synthesis [14], 0-regret synthesis [18] and, for some value functions, 
0-regret determinisation [13,8]. There are procedures to decide HDness (which is 
sometimes called good-for-gameness due to erroneously assuming them equiva- 
lent) of Sum, Avg, and DSum automata on finite words, as follows. 

For Sum and Avg automata on finite words, a PTIME solution combines [1, 
Theorem 4.1], which provides a PTIME algorithm for checking whether such an 
automaton is “determinisable by pruning”, and [8, Theorem 21], which shows 
that such an automaton is HD if and only if it is determinisable by pruning. 


Proposition 1. Deciding whether a Sum or Avg automaton on finite words is 
history-deterministic is in P'TIME. 


For DSum automata on finite words, [14, Theorem 23] provides an NPNco- 
NP solution, using a game that is quite similar to the one-token game, differing 
from it in a few aspects—for example, Adam is asked to either copy Eve with 
his token or move into a second phase where he plays transitions first—and uses 
a characterisation of HD strategies resembling our notion of cautious strategies 
(Definition 2) specialised to DSum automata. 


2 Preliminaries 


Words. An alphabet X is a finite nonempty set of letters. A finite (resp. infinite) 
word u = 09...0n E X* (resp. w = dogi... E€ X®) is a finite (resp. infinite) 
sequence of letters from X; £ is the empty word. We write X% for X* UX”. We 
use [7..j] to denote a set {7,..., j} of integers, [i] for [2.2], [..7] for [0..7], and [i..] 
for integers equal to or larger than i. We write wii..j], w[..j], and wļi..] for the 
infix o;...0;, prefix oo... oj, and suffix o;... of w. A language is a set of words. 


Games. We consider a variety of turn-based zero-sum games between Adam (A) 
and Eve (E). Formally, a game is played on an arena of which the positions 
are partitioned between the two players. A play is a maximal (finite or infinite) 
path. The winning condition partitions plays into those that are winning for 
each player. In some of the technical developments we use parity games, in which 
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moves are coloured with integer priorities and a play is winning for Eve if the 
maximal priority that occurs infinitely often along the play is even. 

A strategy for a player P € {A, E} maps partial plays ending in a position 
belonging to P to a successor position. A (partial) play m agrees with a strategy 
sp of P, written a € sp, if whenever its prefix p ends in a position of P, the 
next move is sp(p). A strategy of P is winning from a position v if all plays 
starting at v that agree with it are winning for P. A strategy is positional if it 
maps all plays that end in the same position to the same successor. A game is 
determined if for every position, one of the players has a winning strategy. 


Quantitative Automata. A nondeterministic quantitative? automaton (or just 
automaton from here on) on words is a tuple A = (X, Q,1,), where X is an 
alphabet; Q is a finite nonempty set of states; 1. E€ Q is an initial state; and 
ô: Q x X — 2(@*@) is a transition function over weight-state pairs. 

A transition is a tuple (q,0,2,q') E€ QxZxQ x Q, also written q “5 q. 
(There might be several transitions with different weights over the same letter 
between the same states.) We write y(t) = x for the weight of a transition 
t = (q,0,2,q'). A is deterministic if for all q E€ Q anda € X, 6(q,a) is a 
singleton. We require that the automaton A is total, namely that for every state 


q € Q and letter o € X, there is at least one state q’ and a transition q Z5 q/. 
ol EN q w[1]: 
1 


A run of A on a word w is a sequence p = qo = q2... 
of transitions where go = 4 and (zi, qi+1) € (qi, wļi]). As each transition t; 
carries a weight +(t;) € Q, the sequence p provides a weight sequence y(p) = 
¥(to)y(t1).... A Val (e.g., Sum) automaton is one equipped with a value function 
Val : Q* > R or Val : QY” — R, which assigns real values to runs of A. The value 
of a run p is Val(y(p)). The value of A on a word w is the supremum of Val(p) 
over all runs p of A on w. Two automata A and A’ are equivalent, if they realise 
the same function. The size of an automaton consists of the maximum among 
the size of its alphabet, state-space, and transition-space. 


Value functions. 
For finite sequences vov: ...Un—1 Of rational weights: 


n-1 n-1 
1 
— Sum(v) = > vi — Avg(v) = 7 X vi 
i=0 i=0 


For finite and infinite sequences vov: ... of rational weights: 


— Inf(v) = inf{vn | n > 0} — Sup(v) = sup{vn | n > 0} 
— For a discount factor A € QAN (0,1), A-DSum(v) = 5 Avi 
i>0 


For infinite sequences vpv1 ... of rational weights: 


3 We speak of “quantitative” rather than “weighted” automata, following the distinc- 
tion made in [5] between the two. 


Quantitative Automata Token Games 125 


— LimInf(v) = lim inf{v; | i > n} — LimSup(v) = lim sup{v; | i > n} 
n— o0 n—oo 
w-regular automata (with acceptance on transitions) can be viewed as special 
cases of quantitative automata. In particular, a Biichi (resp. coBiichi) automaton 
can be seen as a quantitative one, in which a rejecting transition has weight 0, an 
accepting transition has weight 1, and whose value function is 1 if the sequence 
of weighs has infinitely many 1’s and 0 otherwise (resp. 1 if the sequence of 
weights has finitely many 0). See more on w-regular automata, e.g., in [4]. 


History-determinism. Intuitively, an automaton is history-deterministic if there 
is a strategy to resolve its nondeterminism according to the word read so far 
such that for every word, the value of the resulting run is the value of the word. 


Definition 1 (History-determinism [11,8]). A Val automaton A is history- 
deterministic (HD) if Eve wins the following win-lose letter game, in which Adam 
chooses the next letter and Eve resolves the nondeterminism, aiming to construct 
a run whose value is equivalent to the generated word’s value. 


Letter game: A play begins in qo = v (the initial state of A) and at the it 


turn, from state qi, it progresses to a next state as follows: 

— Adam picks a letter c; from X and 

— Eve chooses a transition ti = qi a Qi+1- 
In the limit, a play consists of an infinite word w that is derived from the 
concatenation of 09,01,..-, as well as an infinite sequence T = to,ty,... 
of transitions. For A over infinite words, Eve wins a play in the letter- 
game if Val(7) > A(w). For A over finite words, Eve wins if for alli € N, 
Val(z[0..2]) > A(w[0..i]). 


Consider for example the LimSup automaton A in Fig. 2. Eve loses the letter 
game on A: Adam can start with the letter a; then if Eve goes from sọ to s1, 
Adam continues to choose a forever, generating the word a”, where A(a”) = 3, 
while Eve’s run has the value 2. If, on the other hand, Eve chooses on her first 
move to go from so to s2, Adam continues with choosing b forever, generating 
the word ab”, where A(ab“”) = 2, while Eve’s run has the value 1. 


Families of value functions. We will provide some of our results with respect to 
a family of Val automata based on properties of the value function Val. 

We first define cautious strategies for Eve in both the letter game and token 
games (Section 3), which we use to define present-focused value functions. Intu- 
itively, a strategy is cautious if it avoids mistakes: it only builds run prefixes that 
can achieve the maximal value of any continuation of the current word prefix. 


Definition 2 (Cautious strategies [8]). Consider the letter game on a Val 

automaton A, in which Eve builds a run of A transition by transition. A move 

(transition) t = q “> q' of Eve, played after some run p ending in a state q, 

is non-cautious if for some word w, there is a run n’ from q over ow such that 

Val(pz’) is strictly greater than the value of Val(pm) for any n starting with t. 
A strategy is cautious if it makes no non-cautious moves. 
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A winning strategy for Eve in the letter game must of course be cautious; 
Whether all cautious strategies are winning depends on the value function. We 
call a value function present-focused if, morally, it depends on the prefixes of the 
value sequence, formalised by winning the letter game via cautious strategies. 


Definition 3 (Present-focused value functions [8]). A value function Val, 
on finite or infinite sequences, is present-focused if for all automata A with value 
function Val, every cautious strategy for Eve in the letter game on A is also a 
winning strategy in that game. 


Value functions on finite sequences are present-focused, as they can only 
depend on prefixes, while value functions on infinite sequences are not necessarily 
present-focused [8, Remark 17], for example LimInf and LimSup. 


Proposition 2 ([8, Lemma 16]). Every value function Val on finite sequences 
of rational values is present focused. 


Proposition 3 ([8, Lemma 22]). For every A € QN(0, 1), A-DSum on infinite 
sequences of rational values is a present-focused value function. 


3 Token Games 


Token games were introduced by Bagnol and Kuperberg [3] in the scope of 
resolving the HDness problem of Biichi automata. In the k-token game, known 
as Gx, the players proceed as in the letter game, except that now Adam has k 
tokens that he must move after Eve has made her move, thus building k runs. 
For Adam to win, at least one of these must be better than Eve’s run. In the 
Boolean setting, this run must be accepting, thus witnessing that the word is in 
the language of the automaton. Intuitively, the more tokens Adam has, the less 
information he is giving Eve about the future of the word he is building. 

We generalise token games to the quantitative setting, defining that the max- 
imal value produced by Adam’s runs witnesses a lower bound on the value of 
the word, and Eve’s task is to match or surpass this value on her run. 

In the Boolean setting, Gz has the same winner as the letter game for 
Biichi [3, Corollary 21] and coBiichi [6, Theorem 28] automata (the case of 
parity and more powerful automata is open). Since Gə is solvable in polynomial 
time for Büchi and coBiichi acceptance conditions, this gives a P'TIME algorithm 
for deciding HDness, which avoids the determinisation used to solve the letter 
game directly. In the following sections we study how different token games can 
be used to decide HDness for different quantitative automata. 


Definition 4 (k-token games). Consider a Val automaton A = (27,Q,1,6). 
A configuration of the game G,(A) for k > 1 is a tuple (q,p1,...pr) € Q*t! 
of states. A play consists of an infinite sequence of configurations (1,t,...,¢) = 


(qo, P1,0; -+ +» Pk,0), (Q1, P1,15 +- + Pk,1), - - -- In a configuration (qi, P1,i,---,Pk,i), the 
game proceeds to the next configuration as follows. 
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— Adam picks a letter o; from X, 


OV:TO 


— Eve picks a transition qi ——> G41, and 
; = Oi:Tl,i Oi:Tk,i 
— Adam picks transitions, pı i ——> P1,i+1;-- -Pki ——> Pki+1- 


In the limit, a play consists of an infinite word w that is derived from the con- 
catenation of oo,01,..., as well as k + 1 infinite sequences m (picked by Eve) 
and Tı... Tk (picked by Adam) of transitions over w. Eve wins the play if 
Val(t) > max(Val(mı),...,Val(rk)). 

On finite words, Gy is defined as above, except that the winning condition is 
a safety condition for Eve: for all finite prefixes of a play, it must be the case 
that the value of Eve’s run is at least the value of each of Adam’s runs. 


Cautious strategies (Definition 2) immediately extend to Eve’s strategies in 
G;,(A). Note that unlike in the letter game, a winning strategy in G,(A) must 
not necessarily be cautious, since Adam’s run prefixes might not allow him to 
build an optimal run over the word witnessing that Eve’s move was non-cautious. 


4 Deciding History-Determinism via One-Token Games 


Bagnol and Kuperberg showed that the one-token game G does not suffice to 
characterise HDness for Biichi automata [3, Lemma 8]. However, it turns out 
that G, does characterise HDness for all quantitative (and Boolean) automata 
on finite words and some quantitative automata on infinite words. 

We can then use G to decide history-determinism of some of these automata, 
over which the G game is simple to decide. In particular, Inf and Sup automata 
on finite words and DSum automata on finite and infinite words. 


Theorem 1. Given a nondeterministic automaton A with a present-focused 
value function Val over finite or infinite words, Eve wins Gi(A) if and only 
if A is HD. Furthermore, a winning strategy for Eve in Gi(A) induces a HD 
strategy with the same memory. 


Proof. One direction is easy: if A is HD, Eve can use her HD strategy to win Gi 
by ignoring Adam’s token. For the other direction, assume that Eve wins G1. 

We consider the following family of copycat strategies for Adam in G1: a 
copycat strategy is one where Adam moves his token in the same way as Eve until 
she makes a non-cautious move t = q Z5 q' after building a run p; that is, there 
is some word w and run 7’ from q on ow, such that for every run 7 on ow starting 
with t, we have Val(pz’) > Val(pm). Then the copycat strategy stops copying and 
directs Adam’s token along the run 7’ and plays the word w. If Eve plays a non- 
cautious move in G; against a copycat strategy, she loses. Then, if Eve wins 
G with a strategy s, she wins in particular against all copycat strategies and 
therefore s never makes a non-cautious move against such a strategy. 

Eve can then play in the letter game over A with a strategy s’ that moves 
her token as s would in G;(A) assuming Adam uses a copycat strategy. Then, 
s’ never makes a non-cautious move and is therefore a cautious strategy. Since 
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Val is present-focused, any cautious strategy, and in particular s’, is winning in 
the letter game, so A is HD. Note that s’ requires no more memory than s. 


Corollary 1. Given a nondeterministic automaton A over finite words, Eve 
wins Gı(A) if and only if A is HD, and winning strategies in G1(A) induce HD 
strategies for A of the same complexity. 


Proof. A direct consequence of Proposition 2 and Theorem 1. 


Solving token games. For resolving the HDness problem of Val automata where 
Val is present-focused, it then remains to study for which of them the corre- 
sponding G game is simple to decide. 


Theorem 2. Deciding whether an Inf or Sup automaton on finite words is HD 
is in PTIME, namely in O(|X|n?k) for Sup and O(|X|n7k?) for Inf, where X is 
the automaton’s alphabet, k the number of weights and n the number of states. 


Proof. Given a Sup automaton A = (X, Q, 1,6) with weights W, Gi(.A) reduces 
to solving a safety game, whose positions (o, q, q',£g,t) E€ XU {e} x Q? x W x 
{L, E, A} consist of a possibly empty letter ø representing the last letter played, 
a pair of states (q, q’), one for Eve and one for Adam, which keep track of the end 
of the current run built by each player, a weight zg from W, which keeps track 
of the maximal weight seen on Eve’s run so far, and a turn variable t € {L, E, A} 
indicating whether it is Adam’s turn to give a letter (L), Eve’s turn to choose 
a transition (E), or Adam’s turn to choose a transition (A). The initial position 
is (€,4,4,m,L) where m is the minimal weight of A. The moves and position 
ownership encode the permitted moves in G,(.A) and update zp to reflect the 
maximal value of Eve’s run. The winning condition for Eve is a safety condition: 
Adam wins if he picks a move with a weight higher than zp, the maximal weight 
on Eve’s run. Then plays in this game are in bijection with plays of G (A), and 
Eve wins if and only if she can avoid Adam choosing a transition with a larger 
weight than xz, that is, if she can win G4 (A). 

Then, solving G (A) reduces to solving this safety game, which can be done 
in time linear in the number of positions of the arena, which is 3|'|n7k. 

The case of Inf automata is similar, except that instead of keeping Eve’s 
maximal value along her run, we need to keep the minimal value along Adam’s 
run in some variable x4, and the safety condition for Eve is that her current 
value must always be at least as big as x4 and Adam’s next move. Since Adam 
plays after Eve in each round of the game, we also need to keep Eve’s last value, 
thus having 3|X|n?k? positions. 


Next, we show that solving G1 is in NPNco-NP for DSum automata. 


Theorem 3. For every A E€ QN (0,1), deciding whether a A-DSum automaton 
A, on finite or infinite words, is HD is in NPNco-NP*. 
4 It was already known for finite words [14]. It is perhaps surprising for infinite words, 


given the NP-hardness result in [17, Theorem 6]. In consultation with the authors, 
we have confirmed that there is an error in the hardness proof. 
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Proof. Consider a \-DSum automaton A = (X, Q,1,ô), where the weight of a 
transition t is denoted by y(t). From Propositions 2 and 3 and Theorem 1, Eve 
wins G (A) if and only if A is HD. It therefore suffices to show that solving 
Gı (A) is NPNco-NP. We achieve this by reducing solving G;(A) to solving a 
discounted-sum threshold game, which Eve wins if the DSum of a play is non- 
negative. It is enough to consider infinite games, as they also encode finite games, 
by allowing Adam to move to a forever-zero-position in each of his turns. 


The reduction follows the same pattern as that in the proof of Theorem 2: we 
represent the arena of the game G (A) as a finite arena, and encode its winning 
condition, which requires the difference between the DSum of two runs to be non- 
negative, as a threshold DSum winning condition. Note first that the difference 
between the A-DSum of the two sequences p21... and xp... of weights is equal 
to the A-DSum of the sequence of differences do = (£o — xp), di = (41 — z1) 
as follows: (Xpo Atxi) — eg Az! = Wey Ai (zi — 4). 

We now describe the DSum arena G in which Eve wins with a non-strict 
0-threshold objective if and only if she wins G(A). The arena has positions in 
(c,q,q',t,m) E€ XU {e} x Q? x 8U {e} x {L, E, A} where ø is the potentially 
empty last played letter, starting with £, the states q, q’ represent the positions 
of Eve and Adam’s tokens, t is the transition just played by Eve ifm = A and € 
otherwise, and m denotes the move type, having L for Adam choosing a letter, 
E for Eve choosing a transition and A for Adam choosing a transition. 


A move of Adam that chooses a transition t = q! Z5 q", namely a move 
(o,q,q',t, A) > (0,9,q¢",¢,L), is given weight y(t) — y(t’), that is, the difference 
between the weights of the transitions chosen by both players. Other transitions 
are given weight 0. Observe that we need to compensate for the fact that only 
one edge in three is weighted. One option to do it is to take a discount factor 
N = \3 for the DSum game G. Yet, \’ can then be irrational, which some- 
what complicates things. Another option is to consider discounted-sum games 
with multiple discount factors [2] and choose three rational discount factors 
A, A”, A” € QA (0,1), such that A’ - A” - A” = AÀ. Since the first two weights in 
every triple are 0, only the multiplication of the three discount factors toward 
the third weight is what matters. For \ = a where p < q are positive integers, 


y_ Ap n _ 4p+1 m _ 2p+1 
one can choose X = pti = i2 and A” = Su 


Plays in Gı(A) and in G are in bijection. It now suffices to argue that the 
winning condition of G, namely that the (\’, A”, \’”)-DSum of the play is non- 
negative, correctly encodes the winning condition of G1(A), meaning that the 
difference between the A-DSum of Eve’s run and of Adam’s run is non-negative. 


Let dod ,... be the sequence of weight differences between the transitions 
played by both players in G,(A), and let Ap, Az,... and wo, w1,... be the cor- 
responding sequences of discount factors and weights in the (A, A”, ’”)-DSum 
game, respectively, where for every i = (0 mod 3), we have w; = 0 and à; =’, 
for every i = (1 mod 3), we have w; = 0 and A; = A”, and for every i = (2 
mod 3), we have w; = d; and à; = A”. Then the value of the (A, A”, \’”)-DSum 
sequence is equal to the required DSum sequence multiplied by A’ - A”: 
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[oe] 3i-1 3i 3i+1 oo 
(A, A”, )-DSum -_ 50. II Aj +0-]] A; +Ww3i42° II rj) = yA S rd; 
i=0 j=0 j=0 j=0 i=0 


Hence Eve wins the game Gı(A) if and only if she wins the 0-threshold 
(A, A”, A” )-DSum game over G. As G has a state-space polynomial in the state- 
space of A and solving DSum-games is in NPNCONP [2], solving G (A), and 
therefore deciding whether A is HD, is also in NPNCONP. 


DSum games are positionally determined [22,23,2] so this algorithm also com- 
putes a finite-memory witness of HDness for A that is of polynomial size in the 
state-space of A. However, a positional witness also exists [17, Section 5]. 


5 Deciding History-Determinism via Two Token Games 


In this section we solve the HDness problem of LimSup and LimInf automata via 
two-token games. As is the case with Biichi and coBiichi automata, one-token 
games do not characterise HDness of LimSup and LimInf automata. For LimInf, a 
possible alternative approach is to try to solve the letter game directly: we can 
use an equivalent deterministic LimInf automaton to track the value of a word, 
and the winning condition of the letter game corresponds to comparing Eve’s run 
to the one of the deterministic automaton. Unfortunately, determinising Limlnf 
automata is exponential in the number of its states [10, Theorem 13], so the new 
game is large, and, in addition, its winning condition, which compares the LimInf 
value of two runs, is non-standard and needs additional work to be encoded into 
a parity game. For LimSup automata the situation is even worse, as they are 
not necessarily equivalent to deterministic LimSup automata, so it is not obvious 
whether the winner of the letter game is decidable at all. 

Here we show that the 2-token-game approach, used to resolve HDness of 
Biichi and coBiichi automata, can be generalised to LimSup and LimInf automata. 
While the proof that Ga has the same winner as the letter game is quite different 
for the Biichi and coBiichi cases, our proofs for the LimSup and LimInf cases follow 
the same structure, while relying on the Biichi and coBtichi results respectively. 
However, the argument that G2(.A) is solvable differs according to whether A is a 
LimSup or LimInf automaton. In particular, perhaps surprisingly (since the naive 
approach to solving the letter game seems harder for LimSup), we show that G2 
is solvable in quasipolynomial time for LimSup while for LimInf our algorithm is 
exponential in the number of weights (but not in the number of states). 

Without loss of generality, we assume the weights to be {1, 2,...}. 

We start, in Section 5.1, with analysing the 2-token game on LimSup and 
LimInf automata, and show, in Section 5.2, that it characterises their HDness. 


5.1 Gz on LimSup and LimInf Automata 


We first observe that G2(A), for both a LimSup and a LimInf automaton A, can 
be solved via a reduction to a parity game. The Gə winning condition for LimSup 
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automata can be encoded by adding carefully chosen priorities to the arena of 
G2(A), while for LimInf the encoding requires additional positions. 


Lemma 1. Given a nondeterministic LimSup automaton A of size n with k 
weights, the game Go(A) can be solved in time quasipolynomial in n, and if k is 
in O(log n), in time polynomial in n. 


Proof. We encode the game G2(A), for a LimSup automaton A = (27,Q,0,6), 
into a parity game as follows. The arena is simply the arena of G2(A), seen as a 
product of the alphabet and three copies of A, to reflect the current letter and 
the current position of each of the three runs (one for Eve, two for Adam). 

Adam’s letter-picking moves are labelled with priority 0, Eve’s choices of 
transition q 5 q' are labelled with priority 2x and Adam’s choices of transition 
q Z5 ¢ are labelled with priority 2x — 1. 

We claim that Eve wins this parity game if and only if she wins G'2(A), that 
is, the priorities correctly encode the winner of G2(A). Observe that the even 
priorities seen infinitely often in a play of the parity game are exactly priorities 
2x, where z is a weight seen infinitely often in Eve’s run in the corresponding play 
in G2(A). The odd priorities seen infinitely often on the other hand are 2x — 1, 
where x > 0 occurs infinitely often on one of Adam’s runs in the corresponding 
play of Gj(A). Hence, Eve can match the maximal value of Adam’s runs in 
G2(A) if and only if she can win the parity game that encodes G'2(A). 

The number of positions in this game is polynomial in the size n of A; the 
maximal priority is linear in the number of weights. It can be solved in quasipoly- 
nomial time, or in polynomial time if the number of weights is in O(log n), using 
the reader’s favourite state-of-the-art parity game algorithm, for instance [9]. 


Lemma 2. Given a nondeterministic LimInf automaton A of size n with k 
weights, the game G2(A) can be solved in time exponential in n, and if k is 
in O(log n), in time polynomial in n. 


Proof. As in the proof of Lemma 1, we can represent G2(A) as a game on an 
arena that is the product of three copies of A, one for Eve and two for Adam. 
The winning condition for Eve is that the smallest weight seen infinitely often on 
the run built on her copy of A should be at least as large as both of the minimal 
weights seen infinitely often on the runs built on Adam’s copies. We will encode 
this winning condition as a parity condition, but, unlike in the LimSup case, we 
will need to use an additional memory structure, which we describe now. 

Intuitively, the weights on Eve’s run will be encoded by odd priorities, with 
smaller weights corresponding to higher priorities, as in LimInf the lowest weight 
seen infinitely often is the one that matters, while weights on Adam’s runs will 
be encoded by even priorities, but only once both of Adam’s runs have seen the 
corresponding weight or a lower one. This is the role of the memory structure, 
which encodes which of Adam’s runs has seen which weight recently. 

More precisely, let & be the number of weights in A. Moves corresponding 
to Eve choosing a transition of weight i have priority 2(k — i + 1) — 1, that is, 
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an odd priority that is larger the smaller i is. Further, for each weight, we use a 
three-valued variable x; € {0,1,2}, initiated to 0, which gets updated as follows: 
if x; = 0 and the game takes a transition with a weight w < i on one of Adam’s 
runs, x; is updated to 1 or 2 according to which of Adam’s run saw this weight; 
if x; = 1 (resp. 2) and Adam’s second (resp. first) run takes a transition with 
weight w < i, then x; is reset to 0. Transitions that reset variables to 0 have 
priority 2(k—i+1) for the minimal i such that the transition resets x; to 0; other 
transitions have priority 1. Other moves do not affect x;, and have priority 1. 

We now argue that the highest priority seen infinitely often along a play is 
even if and only if the LimInf value of Eve’s run is at least as high as that of 
both of Adam’s runs. Indeed, the maximal odd priority seen infinitely often on 
a play is 2(k — i + 1) — 1 such that 7 is the minimal priority seen on Eve’s run 
infinitely often, and the maximal even priority seen infinitely often is 2(k—j +1) 
where j is the minimal weight such that both of Adam’s runs see j or a smaller 
priority infinitely often. In particular, 2(k —i+1)—1< 2(k— j + 1) if and only 
if i > j, that is, if Eve wins G2(A). 

This parity game is of size exponential in k due to the memory structure 
({0,1,2}*) and has 2k priorities. As the number of priorities is logarithmic in 
the size of the game, it can be solved in polynomial time [9]. If the number of 
weights is in O(log n), then the algorithm is polynomial in the size n of A. 


5.2 G2 Characterises HDness for LimSup and LimInf Automata 


The rest of the section is dedicated to proving that a LimSup or LimInf automaton 
is HD if and only if Eve wins the 2-token game on it. In both cases, the structure 
of the argument is similar. One direction is immediate: if an automaton A is 
HD, then Eve can use the letter-game strategy to win in G'2(A), ignoring Adam’s 
tokens. The other direction requires more work. We use an additional notion, that 
of k-HDness, also known as the width of an automaton [21], which generalises 
HDness, in the sense that Eve maintains k runs, rather than only one, and needs 
at least one of them to be optimal. We will then show that if Eve wins G2(A), 
then A is k-HD for a finite k (namely, the number of weights in A minus one). 
Finally, we will show that for automata that are k-HD, for any finite k, a strategy 
for Eve in G'p(A) can be combined with the k-HD strategy to obtain a strategy 
for her in the letter game. 

Many of the tools used in this proof are familiar from the w-regular set- 
ting [3,6]. The main novelty in the argument is the decomposition of the LimSup 
(LimInf) automaton A with k weights into k — 1 Biichi (coBiichi) automata 
Ao,...,Ax that are HD whenever Eve wins G2(A). (The converse does not hold, 
namely A2,..., Ag can be HD even if Eve loses G2(A) — see Fig. 2.) The HD 
strategies for A2, ..., Ak can then be combined to prove the k-HDness of A. 

Fig. 1 illustrates the flow of our arguments. 

We first generalise to quantitative automata Bagnol and Kuperberg’s key 
insight that if Eve wins G2, then she also wins Gg for all k [3, Thm 14]. 
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Fig. 1. The flow of arguments for showing that G2(A) =  HD(A) for a LimInf or 
LimSup automaton A. 


5=6-a+5 E 
60-05 E 


Fig. 2. A LimSup automaton A and corresponding Biichi automata A2 and As, as per 
Lemma 3. (Accepting transitions in A2 and Az are marked with double lines.) Observe 
that A is not HD and Eve loses the two-token game on A, while both A2 and A3 are 
HD. (In A, if Eve goes from so to s1, Adam goes from so to s2 and continues with an 
a, and if she goes from so to s2, Adam goes from so to sı and continues with a b. In 
A2 Eve goes from so to sı and in Az from so to s2.) 


Theorem 4. Given a quantitative automaton A, if Eve wins G2(A) then she 
also wins Gk(A) for any k € N\ {0}. Furthermore, if her winning strategy in 
G2(A) has memory of size m and A has n states, then she has a winning strategy 
in Gx(A) with memory of size n®-1-m*. 
Proof. This is the generalisation of [3, Thm 14]. The proof is similar to Bagnol 
and Kuperberg’s original proof, but without assuming positional strategies for 
Eve in G,(A). If Eve wins G2(A) then she obviously wins Gı( A), using her 
Gə strategy with respect to two copies of Adma’s single token in G1. We thus 
consider below G,(A) for every k € N \ {0,1,2}. 

Let s2 be a winning strategy for Eve in G2(A). We inductively show that 
Eve has a winning strategy s; in G;(A) for each finite i. To do so, we assume 
a winning strategy s;_, in G;_1(A). The strategy s; maintains some additional 
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(not necessarily finite) memory that maintains the position of one virtual token 
in A, a position in the (not necessarily finite) memory structure of s;_, and a 
position in the (not necessarily finite) memory structure of s2. The virtual token 
is initially at the initial state of A. The strategy s; then plays as follows: at each 
turn, after Adam has moved his į tokens and played a letter (or, at the first turn, 
just played a letter), it first updates the s;_; memory structure, by ignoring the 
last of Adam’s tokens, and, treating the position of the virtual token as Eve’s 
token in G;-1(A), it updates the position of the virtual token according to the 
strategy s;—1; it then updates the s2 memory structure by treating Adam’s last 
token and the virtual token as Adam’s 2 tokens in G2(A), and finally outputs 
the transition to be played according to s2. 

We now argue that this strategy is indeed winning in G;(.A). Since s;_1 is a 
winning strategy in G;_;(A), the virtual token traces a run of which the value 
is at least as large as the value of any of the runs built by the first i — 1 tokens 
of Adam. Since sə is also winning, the value of the run built by Eve’s token is at 
least as large as the values of the runs built by the virtual token and by Adam’s 
last token. Hence, Eve is guaranteed to achieve at least the supremum value of 
Adam’s i runs, making this a winning strategy in G;(A). 

As for the memory size of a winning strategy for Eve in Gk( A), let m be the 
memory size of her winning strategy in G2(A) and n the number of states in A. 
Then, by the above construction of her strategy in G;,(A), the memory of her 
strategy in G'3(A) is n for the virtual token times m for the copy of her memory 
in G2(A) times m for the copy of her memory in G;_;(A) = G2(A), namely 
n-m:-m=n-m?. Then for G4(A) it is n-m- (n-m?) = n? - më; for G5(A) it is 


n-m: (n? m?) =n?-mé4, and for Gk(A) it is n*-1-m*. 


We proceed with the definition of k-HDness, also known as width [21], based 
on the k-runs letter game (not to be confused with Gz, the k-token game), which 
generalises the letter game. 


Definition 5 (k-HD and k-runs letter game). A configuration of the game 
on a LimSup (LimInf) automaton A = (¥7,Q,1,5) is a tuple q! € Q* of states of 
A, initialised to 1. 

In a configuration (qi1,---,4i,n), the game proceeds to the next configuration 
(qi+1,1; ee 1 9i41,k) as follows. 


— Adam picks a letter o; € X, then 
— Eve chooses for each qi j, a transition qi j Ss qi+1,j 


In the limit, a play consists of an infinite word w that is derived from the concate- 
nation of 09,01,-.-, as well as of k infinite sequences po, p1,... of transitions. 
Eve wins the play if maxje{1...~} Val(p;) = A(w). 

If Eve has a winning strategy, we say that A is k-HD, or that HD,(.A) holds. 


Notice that the standard letter game (Definition 1) is a 1-run letter game and 
standard HD (Definition 1) is 1-HD. 
Next, we use HD; (A) to show that G characterises HDness. 
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Proposition 4 ([3]). Given a quantitative automaton A, if HD;,(A) for some 
k EN, and Eve wins Gy, then A is HD. 


Proof. The argument is identical to the one used in [3], which we summarise 
here. The strategy r for Eve in HD;(.A) provides a way of playing k tokens that 
guarantees that one of the k runs formed achieves the automaton’s value on the 
word w played by Adam. If Eve moreover wins Gk( A) with some strategy sk, 
she can, in order to win in the letter game, play sp against Adam’s letters and k 
virtual tokens that she moves according to r. The winning strategy T guarantees 
that one of the k runs built by the k virtual tokens achieves Val(w); then her 
strategy są guarantees that her run also achieves Val(w). 


It remains to prove that if Eve wins G2(A), then HD;(A) for some k. 

Given a LimSup automaton A, with weights {1,..., k}, we define k — 1 auxil- 
iary Biichi automata A2,...,A, with acceptance on transitions, such that each 
A, is a copy of A, where a transition is accepting if its weight i in A is at least 
x. Each A; recognises the set of words w such that A(w) > x. (See Fig. 2.) 

Given a LimInf automaton A, we similarly define auxiliary coBtichi automata: 
A, is a copy of A where transitions with weights smaller than x are rejecting, 
while those with weights x or larger are accepting. Again, A, recognises the set 
of words w such that A(w) > a. 

We now use these auxiliary automata to argue that if Go(A) then HD,_1(A). 


Lemma 3. Given a LimSup or LimlInf automaton A with weights {1,...,k}, if 
Eve wins Go(A), then for all x € {2,...,k}, Eve also wins Go (Az). 


Proof. Since A, is identical to A except for the acceptance condition or value 
function, Eve can use in G2(A,) her winning strategy in G2(A). For the LimSup 
case, if one of Adam’s runs sees an accepting transition infinitely often, the 
underlying transition of A visited infinitely often has weight at least x. Then, 
Eve’s strategy guarantees that her run also sees infinitely often a value at least 
as large as x, corresponding to an accepting transition in Go(A,). 

Similarly, for the LimInf case, if one of Adam’s runs avoids seeing a rejecting 
transition infinitely often in A,, then this run’s value in A is at least x, and 
Eve’s strategy guarantees that her run’s value in A is at least x, meaning that 
it avoids seeing a rejecting transition in A, infinitely often, and accepts. 


Lemma 4. Given a LimSup or Limlnf automaton A with weights {1,...,k}, if 
Eve wins G2(A,) for all x € {2,...,k} then HD,_1(A) holds. 


Proof. From Lemma 3, if Eve wins G2(A), then for all x € {2,...,k}, Eve also 
wins G2( Az). Since each A, is a Biichi or coBiichi automaton, this implies that 
for all x € {2,...,k}, the automaton A, is HD [3,6], that is, there is a winning 
strategy Sy for Eve in the letter game on each Agy. Now, in the (k — 1)-run letter 
game on A, Eve can use each sy to move one token. Then, if Adam plays a 
word w with some value Val(w) = i, this word is accepted by A;, and therefore 
the strategy s; guarantees that the run of the it token achieves at least the 
value 7, corresponding to seeing accepting transitions of A; infinitely often for 


136 U. Boker and K. Lehtinen 


the LimSup case, or eventually avoiding rejecting transitions in the LimInf case. 


Finally, we combine the Gz and HD,_ strategies in A to show that A is HD. 


Theorem 5. A nondeterministic LimSup or LimInf automaton A is HD if and 
only if Eve wins Go(A). 


Proof. If A is HD then Eve can use the letter-game strategy to win in G2(A), 
ignoring Adam’s moves. If Eve wins G'2(A) then by Lemma 3 and Lemma 4 she 
wins HD,_1(A), where k is the number of weights in A. By Theorem 4 she also 
wins G,_1(A) and, finally, by Proposition 4 we get that A is HD. 


Theorem 6. Given a nondeterministic LimSup (resp. LimInf) automaton A of 
size n with k weights, the HDness problem of A can be solved in time quasipoly- 
nomial (resp. exponential) in n. In both cases, if k is in O(log n), it can be solved 
in time polynomial in n. 


Proof. It directly follows from Theorem 5 and Lemmas 1 and 2; the former 
reducing the HDness problem to solving G2(A), and the latter two showing that 
G2(A) can be solved in the stated complexity. 


In contrast to the cases considered in the Section 4, where strategies in G1 
immediately induce HD strategies of the same complexity, for Biichi and coBiichi 
automata, a winning G2 strategy does not necessarily induce an HD strategy 
(even though it implies the existence of such a strategy). We now analyse the 
size of the HD strategies which our proofs show exist whenever Eve wins Go, 
and discuss the implications for the determinisability of HD LimSup automata. 


Corollary 2. Given an HD LimSup or Liminf automaton A of size n, there is 
an HD strategy for A with memory exponential in n. If A is a LimSup automaton 
with O(log n) weights then the memory is only polynomial in n. 


Proof. Let n be the size of A and k+1 the number of weights. We construct an 
HD strategy for A, by combining an HD, strategy and a Gk strategy for it. 

The HD, strategy—which, like the HD strategy, is hard to compute directly— 
combines the HD strategies of the k auxiliary Biichi or coBtichi automata for A, 
as constructed in Lemma 3. For HD Biichi automata, which are equivalent to 
deterministic automata of quadratic size [19], there always exists a polynomial 
resolver: indeed, the letter game can be represented as a polynomial parity game, 
in which a positional strategy for Eve corresponds to a resolver. For HD coBiichi 
automata on the other hand, these auxiliary strategies might have exponential 
memory in the number of states of A [19]. 

The Gk strategy on the other hand is positional for LimSup, since it can be 
encoded as a parity game directly on the G;,(A) arena, similarly to the reduction 
in Lemma 1; the size of the G(A) arena is O(n*+"). The overall HD strategy 
for LimSup therefore needs memory exponential in the number of weights. 

For LimInf on the other hand, by Lemma 2 and Theorem 4, the Gk strategy 
can do with memory of size n*~! - 3°. The overall HD strategy therefore has 
memory exponential in the size of A. 
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We leave open whether this can be improved upon. Already for coBiichi 
automata, it is known that deciding whether an automaton is HD is polynomial 
despite there being automata for which the optimal HD strategy is exponential. 
Hence, at least for the LimInf case, we cannot expect to do much better. However, 
for the LimSup case, it might be that polynomial, or even positional HD strategies 
could suffice. However, positionality is already open for the Biichi case. 

Our proof does however imply that if a LimSup automaton A is HD, then 
there is a finite memory HD strategy, which implies that A is determinisable, 
without increasing the number of weights, by taking a product of A with the 
finite HD strategy. (Recall that every LimInf automaton can be determinised, 
while not every LimSup automaton can.) 


Corollary 3. Every HD LimSup automaton is equivalent to a deterministic one 
with at most an exponential number of states and the same set of weights. 


6 Conclusions 


We have extended the token-game approach to characterising history-determinism 
from the Boolean (w-regular) to the quantitative setting. Already 1-token games 
turn out to be useful for characterising history-determinism for some quanti- 
tative automata. For LimSup and LimInf automata, one token is not enough, 
but the 2-token game does the trick. Given the correspondence between decid- 
ing history-determinism and the best-value synthesis problem, our results also 
directly provide algorithms both to decide whether the synthesis problem is re- 
alisable and to compute a solution strategy. 

This application further motivates understanding the limits of these tech- 
niques. Whether the 2-token game G2 characterises more general Boolean classes 
of automata beyond Büchi and coBtichi automata is already an open ques- 
tion. Similarly, we leave open whether the G2 game also characterises history- 
determinism for limit-average automata and other quantitative automata. At 
the moment we are not aware of examples of automata of any kind (quanti- 
tative, pushdown, register, timed, ...) for which Eve could win G2 despite the 
automaton not being history-deterministic, yet even for parity automata, a proof 
of characterisation remains elusive. 
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Abstract While the complexity of translating future linear temporal 
logic (LTL) into automata on infinite words is well-understood, the size 
increase involved in turning automata back to LTL is not. In particular, 
there is no known elementary bound on the complexity of translating 
deterministic w-regular automata to LTL. 

Our first contribution consists of tight bounds for LTL over a unary al- 
phabet: alternating, nondeterministic and deterministic automata can be 
exactly exponentially, quadratically and linearly more succinct, respect- 
ively, than any equivalent LTL formula. Our main contribution consists 
of a translation of general counter-free deterministic w-regular automata 
into LTL formulas of double exponential temporal-nesting depth and 
triple exponential length, using an intermediate Krohn-Rhodes cascade 
decomposition of the automaton. To our knowledge, this is the first ele- 
mentary bound on this translation. Furthermore, our translation pre- 
serves the acceptance condition of the automaton in the sense that it 
turns a looping, weak, Biichi, coBiichi or Muller automaton into a for- 
mula that belongs to the matching class of the syntactic future hierarchy. 
In particular, it can be used to translate an LTL formula recognising a 
safety language to a formula belonging to the safety fragment of LTL 
(over both finite and infinite words). 


Keywords: Linear temporal logic - Automata - Cascade decomposition 


1 Introduction 


Linear Temporal Logic with only future temporal operators (from here on LTL) 
and w-regular automata, whether deterministic, nondeterministic or alternating, 
are both well-established formalisms to describe properties of infinite-word lan- 
guages. LTL is popular in formal verification and synthesis due to its simple 
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syntax and semantics. Yet, while properties might be convenient to define in 
LTL, most verification and synthesis algorithms eventually compile LTL formu- 
las into w-regular automata. The expressiveness of both these key formalisms, as 
well as translations from LTL to automata of various types, are well understood. 
Here, we consider the converse translations, which, in comparison, have received 
less attention: up till now, no elementary upper bound on the size blow-up of 
going from automata to LTL was known. 

Regarding expressive power, deterministic Muller automata, nondetermin- 
istic Büchi automata, and weak alternating automata recognise all w-regular 
languages [21,40]. LTL-definable languages (surveyed in [13]) are a strict subset 
thereof, also defined by first-order logic, star-free regular expressions, aperiodic 
monoids, counter-free automata, and very weak alternating automata. As for 
succinctness, nondeterministic and alternating automata can be exponentially 
and double-exponentially more succinct than deterministic automata, respect- 
ively. Determinisation in particular has precise bounds [32,35,24,36,12,3]. 

The succinctness of various representations of LTL-definable languages is less 
clear: effective translations between the different models are far from straight- 
forward, and their complexity is sometimes uncertain. In particular, to the best 
of our knowledge, up to now there has been no elementary bound even on the 
translation of deterministic counter-free automata, arguably the simplest auto- 
mata model for this class of languages, into LTL formulas. (Considering LTL 
with both future and past temporal operators, there is a double-exponential up- 
per bound on the length of the formula [26]*.) The complexity of obtaining a 
deterministic counter-free automaton from a nondeterministic one is also, to the 
best of our knowledge, open. 

We study the complexity of translating automata to LTL (equivalently, to 
very weak alternating automata), considering formula length, size, and nesting 
depth of temporal operators. 

We begin (Section 3), as a warm-up, with the unary alphabet case on fi- 
nite words. We show that the size-blow up involved in translating deterministic, 
non-deterministic and alternating automata to LTL, when possible, is linear, 
quadratic and exponential, respectively, and these bounds are tight. In contrast, 
going from LTL to alternating, nondeterministic and deterministic automata is 
linear, exponential and double-exponential, respectively [33,41,19]. 

The case of non-unary alphabets is much more difficult. We provide a transla- 
tion of counter-free deterministic w-regular automata (with any acceptance con- 
dition) into LTL formulas with double exponential depth and triple exponential 
length. Our translation uses an intermediate Krohn-Rhodes reset cascade decom- 
position (wreath product) of deterministic automata, which is a deterministic 
automaton built from simple components. 

Our main technical contribution consists of a translation of a reset cascade 
into an LTL formula of depth linear and length singly exponential in the number 
of cascade configurations. Combining this with Eilenberg’s Holonomy translation 
of a semigroup into a cascade [14, Corollary II.7.2] and Pnueli and Maler’s adapt- 


4 See Remark 1 on whether the upper bound in [26] is single or double exponential. 
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ation of it to automata [26, Theorem 3] (see Remark 1), we obtain a translation 
of counter-free deterministic w-regular automata into LTL formulas of double 
exponential depth and triple exponential length. Our construction preserves the 
acceptance condition of the automaton in the sense that it turns a Btchi-looping, 
coBuchi-looping, weak, Büchi or coBtichi automaton into a formula that belongs 
to the matching class of the syntactic future hierarchy (see Definition 1 and [8]). 


Related work 


Finite words. While LTL is usually interpreted over infinite words, it also admits 
finite-word semantics that coincide with the finite word version of the other 
equivalent formalisms. The equivalence between FO and star-free languages on 
finite words is due to McNaughton and Papert [31]. Cohen, Perrin and Pin [10] 
used the Krohn-Rhodes decomposition to characterise the expressive power of 
LTL with only X and F (eventually), but do not provide bounds on the size 
trade-off between the different models. Wilke [42] gives a double-exponential 
translation from counter-free DFA to LTL. More recently, Bojaniczyk provided 
an algebraically flavoured adaptation of Wilke’s proof [2, Section 2.2.2]. 


Infinite words. With substantial effort over several decades, the above techniques 
have been extended to infinite words using intricate tools with opaque complex- 
ities. Ladner [22] and Thomas [38,39] for example extended the equivalence of 
star-free regular expressions and FO to infinite words, while the w-extension of 
the equivalence with aperiodic languages is due to Perrin [34]. The correspond- 
ence with LTL is due to Kamp [18] and Gabbay, Pnueli, Shelah and Stavi [16]. 
Diekert and Gastin’s survey [13] provides an algebraic translation into LTL via w- 
monoids while Cohen-Chesnot gives a direct algebraic proof of the equivalence of 
star-free w-regular expressions and LTL [11]. Wilke takes an automata-theoretic 
approach, using backward deterministic automata [43,44]. However, none of the 
above address the complexity of the transformations. Zuck’s dissertation [46] 
gives a translation of star-free regular expressions into LTL, with at least non- 
elementary complexity. Subsequently, Chang, Mana and Pneuli [8] use Zuck’s 
results to show that the levels of their hierarchy of future temporal properties 
coincide with syntactic fragments of LTL. Sickert and Esparza [37] gave an ex- 
ponential translation of any LTL formula into level Az of this hierarchy. 


2 Preliminaries 


Languages. An alphabet X, of size |X], is a finite set of letters. ©*, X+, and X“ 
denote the sets of finite, nonempty finite, and infinite words over X, respectively. 
A language of finite or infinite words is a subset of X* or X“, respectively. 
We write [i..j] and [i..7), with integers i < j, for the sets {i,4+1,...,7} and 
{i,i+1,...,7—1}, respectively. For a word w = 09-01---, we write |w] for its 
length (0o if w is infinite), w[i] for oi, wy_.;) and wy;..;) for its corresponding infixes 
(wi..) is the empty word), and wy;..) for its (finite or infinite) suffix o;-oj41-°-. 
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Linear Temporal Logic (LTL). Let AP be a finite set of atomic propositions. LTL 
formulas are constructed from the constant true, atomic propositions a € AP, 
the connectives — (negation) and A (and), and the temporal operators U (until) 
and X (next). Their semantics are given by a satisfiability relation = between 
finite or infinite words w € (24”)+ U (24”)”, and a formula y inductively as 
follows: 


w |} true wea iff a € w[0] 

wep if we wE ya if wey andwH y 
weEXyp iff |w|>1 and wp.) FY 

w |= gUw iff die [0..|w|). wij =Y and Vj € [0..7). wy] EY 


We also use the common shortcuts false := —true, y V Y = 7((-y) A (7y)), 
Fy := trueUy, Gy := 7F-y, and 7, Ry2 = 7(-W,)U(Av2). The language 
of finite words of ọ is L” (p) = {w e (24”)+ | w H g}, and the language of 
infinite words is L(y) := {w € (24”)” | w H p}. Note that we omit the “< w” 
superscript if it is clear from the context which set is used. The length |p| of y 
is the number of nodes in its syntax tree, the size of y is the number of nodes in 
a DAG representing this syntax tree, and its temporal nesting depth, denoted by 
depth(y), is defined by: depth(true) = 0; depth(a) = 0 for an atomic proposition 
a € AP; depth(>w) = depth(); depth(w, A Y2) = max(depth(), depth(w2)); 
depth(Xw) = depth(7) +1; and depth(Yı Uw2) = max(depth(y1), depth(¢2)) +1. 
Chang, Manna, and Pnueli define in [8] a syntactic hierarchy for LTL formulas 
(over infinite words): 


Definition 1 (LTL Syntactic future hierarchy [8] °). 


— Xo = Ho = Apo is the least set containing all atomic propositions and their 
negations, and is closed under the application of conjunction and disjunction. 

— Xi+ı ts the least set containing IT; and negated formulas of IT;41 closed under 
the application of conjunction, disjunction, and the X and U operators. 

— IT;4,1 is the least set containing X; and negated formulas of 37:41 closed under 
the application of conjunction, disjunction, and the X and R operators. 

— Aj41 is the least set containing 4, and IT;41 that is closed under the 
application of conjunction, disjunction, and negation. 


+; is referred to as syntactic co-safety formulas, J as syntactic safety formulas. 


Automata. A deterministic semiautomaton is a tuple D = (X, Q, ô), where X 
is an alphabet; Q is a finite nonempty set of states; and ô: Q x X > Qisa 
transition function and we extend it to finite words in the usual way. A path of 
D on a word w = go -g1 ++- is a sequence of states go,qi,.--, such that for every 
1 jw], we have 0(qi, ci) = di+1- 

It is a reset semiautomaton if for every letter o € X, either i) for every state 
q E€ Q we have 6(q,c) = q, or ii) there exists a state q' € Q, such that for every 
state q E€ Q we have d(q,0) = g’. 


5 This extends [6,37] with negation, which can be removed via negation normal form. 
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It is counter free if for every state q € Q, finite word u € Xt, and number 
n € N \ {0}, there is a self loop of q on u” iff there is a self loop of q on u. 

A deterministic automaton is a tuple D = (X, Q, 1, 6, a), where (X, Q, ô) isa 
deterministic semiautomaton, ¿ € Q is an initial state; and a is some acceptance 
condition, as detailed below. A run of D on a word w is a path of D on w that 
starts in v. It is a reset or counter-free automaton if its semiautomaton is. 

The acceptance condition of an automaton on finite words is a set F C Q; a 
run is accepting if it ends in a state q € F. The acceptance condition of an w- 
regular automaton, on infinite words, is defined with respect to the set inf(r) of 
states visited infinitely often along a run r. We define below several acceptance 
conditions that we use in the sequel; for other conditions, see, for example, [3]. 

The Muller condition is a set a = {Mj,..., Mx} of sets M; C Q of states, 
and a run r is accepting if there exists a set M;, such that M; = inf(r). The 
Rabin condition is a set a = {(Gi, Bi),..., (Gk, Be)} of pairs of sets of states, 
and r is accepting if there exists a pair (G;, Bi), such that G; N inf (r) # Ø and 
BiN inf(r) = 0. The Büchi (resp. coBtichi) condition is a set a C Q of states, 
and r is accepting if aN inf (r) # Ú (resp. aN inf (r) = 0). A weak automaton is a 
Biichi automaton, in which every strongly connected component (SCC) contains 
only states in a or only states out of a. A looping automaton is a Biichi or 
coBtichi automaton, where all states are in a, except for a single sink state. 

Deterministic automata of the above types correspond to the hierarchy of 
temporal properties [28]: Looping-Biichi, looping-coBiichi, weak, Biichi, coBtichi, 
and Rabin/Muller deterministic automata define respectively safety, guarantee 
(co-safety), obligation, recurrence, persistence, and reactivity languages. If the 
language is also LTL-definable, then there exists an equivalent LTL formula in 
Ih, 31, Ai, Hz, X2, and 42, respectively [8]. Every deterministic w-regular 
automaton is equivalent to deterministic Muller and Rabin automata, where the 
Muller (but not always Rabin) one can be defined on the same semiautomaton. 

Nondeterministic and alternating automata (to which we only refer in Sec- 
tion 3, on finite words over a unary alphabet) extend deterministic automata by 
having a transition function ô: Q x X —> 22 and 6: Q x X > (positive Boolean 
formulas over Q), respectively. (See, for example, [7] for formal definitions.) 


3 Unary Alphabet 


Kupferman, Ta-Shma and Vardi [20] compared the succinctness of different auto- 
mata models when counting, that is, recognising the singleton language {a*} for 
some k over the singleton alphabet {a}. For the succinctness gap between auto- 
mata and LTL, we study the task of recognising arbitrary languages over the 
unary alphabet, which can be seen as sets of integers, rather than a single integer. 

For a unary alphabet, since there is only one infinite word, only languages 
on finite words are interesting. We thus consider LTL formulas over (no) atomic 
propositions AP = , and automata on finite unary words over the corresponding 
alphabet X = 24P = {Ø}, where we use the shorthand a = Ø. The size of 
a deterministic automaton is the number of its states, of a nondeterministic 


On the Translation of Automata to Linear Temporal Logic 145 


automaton the number of its transitions, and of an alternating automaton the 
number of subformulas in its transition function. 

We show that the size blow-up involved in translating deterministic, non- 
deterministic, and alternating automata to LTL, when possible, is linear, quad- 
ratic, and exponential, respectively. 


In our analysis, we shall use the following folklore theorem, which extends 
Wolper’s Theorem [45]. 


Proposition 1 (Extended Wolper’s theorem, Folklore). Consider an 
LTL formula p with depth(y) = n over the atomic propositions AP, and let 
X = 24?. Then for every words u € X*, v € Xt andt € X”, and numbers 
i,j >n, p has the same truth value on the words (uv't) and (uvt). 


We use this to establish that unary LTL describes only finite and co-finite 
properties, and that there is a tight relation between the depth of LTL formulas 
and the length of words above which they are all in or all out of the language. 


Proposition 2. Given an LTL formula p with depth(y) = n on finite words 
over the unary alphabet {a}, a’ € L(y) for alli >n ora’ ¢ L(y) for alli >n. 


Proposition 3. Consider a language L C {a}* that agrees on all words of 
length over n, that is, has the same truth value on all such words. Then there is 
an LTL formula of size in O(n) with language L. 


We now establish the trade-off between LTL and alternating automata (AFA) 
over unary alphabets. AFA are closed under (linear) complementation, so we use 
a pumping argument to bound the length after which all words have the same 
truth value, giving an upper bound on the LTL formula. 


Lemma 1. Every alternating automaton with n states that recognises an LTL- 
expressible language L C {a}* is equivalent to an LTL formula of size in O(2"). 


We show next that this upper bound is tight. Consider the language {a2”" '}, 
which, according to Proposition 2, is only recognised by LTL formulas of size at 
least 2”~1. It is recognised by a weak alternating automaton with 2n states and 
size in O(n), using an automaton based on Leiss’s construction [23]. Intuitively, 
the alternating automaton represents an n-bit up-counter with two states for 
each bit, one for 1 and one for 0 (see Fig. 1), where the universal transitions 
enforce that nondeterministic transitions correctly update the counter. 


Lemma 2 (Adaptation of [23, proof of Theorem 1]). For every n € 
N \ {0}, there is a weak alternating automaton with 2n states and transition 
function of size in O(n) recognising the language {a y. 


We continue to nondeterministic automata (NFAs), for which the arguments 
are more involved as they do not allow for linear complementation. 
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Gs) 


n—-1 
Figure 1. An alternating automaton of size in O(n) recognising {a° }; here with 
n = 3, where the initial configuration is q1,0 A q2,0 A q3,0- 


Lemma 3. Every nondeterministic automaton with n states recognising an LTL- 
expressible language L C {a}* is equivalent to an LTL formula of size in O(n?). 


Proof sketch. For finite L, by a pumping argument, A only accepts words up to 
length n, and by Proposition 3 we are done. We now consider a co-finite L. 

We use 2-way deterministic automata, which are deterministic automata that 
process words of the form Fw, where F and + are start- and end-of-word markers 
respectively, and where transitions specify whether to read the letter to the right 
or to the left of the current position. They accept by reaching an end state, and 
reject by reaching a rejecting state or by failing to terminate [17], and every 
unary NFA A can be turned into a 2-way DFA D of size O(n?) [9]. 

We construct from an NFA A a 2-way DFA D, and then a 2-way DFA D’ of 
the same size that recognises a* \ {a*}, where a" is the longest word not in L. 
We use the fact that a 2-way DFA of size m can be complemented into one of 
size 4m [17] to complement D’ into D” that recognises {a*} and must therefore 
be of size at least k + 2 [1], so k, and by Proposition 2, an LTL formula for L, 
is in O(n?). 


We now show that this upper bound is tight. The previous lower bound ideas 
do not work with nondeterminism, since we need n states to recognise {a”} [20]. 
Yet, we need not count exactly to n for achieving a lower bound. We can use 
a variant of a language used in [4, pages 10-11]: For every positive integer k, 
define the set of positive integers Sk = {m > 0 | 3i, j EN. m = ik + j(k + 1}, 
and the language Vp = {a | m E€ Sk} C {a}*. 


Proposition 4 (Folklore, [4, Theorem 3]). For every k € N the number 
k? — k — 1 is the mazimal number not in Sp. 
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Proposition 5 ([4, proof of Theorem 4]). For every n € N, there is an NFA 
of size in O(n) recognising a co-finite language L C {a}*, such that a® ~*~} is 
not in L, while for every t > k? — k, we have that at € L. 


Theorem 1. The size blow-up involved in translating deterministic, nondetermin- 
istic, and alternating automata on finite unary words to LTL, when possible, is 
O(n), O(n?), and O(2”), respectively. 


4 General Alphabet 


In this section we consider the more challenging task of turning counter-free w- 
regular automata over arbitrary alphabets into LTL. We use the fact that these 
automata can be turned into reset cascade automata (Krohn-Rhodes-Holonomy 
decomposition), which we describe in Section 4.1. Our technical contribution is 
then the translation of reset cascade automata into LTL. 

In brief, we build, in Section 4.2, a parameterised LTL formula that is sat- 
isfied by a word w iff the run of the cascade on w, starting in the parameter 
configuration S, reaches a parameter configuration T, such that the remain- 
ing suffix of w satisfies a parameter LTL formula 7. We then use this formula, 
in Section 4.4, to describe the automaton’s acceptance condition. 

When encoding the behavior of a cascade by an LTL formula, we need to 
overcome two major challenges: First, the cascade is a formalism that looks at 
the past, namely at the word read so far, to determine the next configuration, 
while an LTL formula obtains its value only from the future. Second, the cascade 
has an internal state, while an LTL formula does not. Our reachability formulas 
are therefore quite involved, built inductively over the number of levels in the 
cascade, and implicitly allowing to track the internal configuration of the cascade. 

In Section 4.3 we analyse the length and depth of the resulting formulas. 


4.1 Cascaded Automata 


Cascades. A cascaded semiautomaton (analogous to the algebraic wreath pro- 
duct) over an alphabet is a semiautomaton that can be described as a sequence 
of simple semiautomata, such that the alphabet of each of them is X together 
with the current state of each of the preceding semiautomata in the sequence. It 
is a reset cascade if it is a sequence of reset semiautomata. Formally, a cascaded 
semiautomaton, or just cascade, over alphabet X with n levels is a tuple A = 
(X, Ai, A2,..., An), such that A; = (Xi, Qi, ði) is a semiautomaton for each 
level i, where X; = X x Qi X+- X Qj-1. (So X1 = X, X2 = X x Qu, etc.). It is 
a reset cascade if all A;’s are reset semiautomata. 

An i-configuration S of A is a tuple (qm, q2,.--,@i) E Qi X- X Qi. If qi+1 E€ 
Qi+1 is a state of level i +1, we write (S,q+1) for the (i + 1)-configuration 
(1,-++3 qi, G+1). Note that the 0-configuration is the empty tuple (). Further, we 
derive the transition relation for configurations by point-wise application of the 
respective 6;’s. We define 6<;((q1, q2,- -- qi), o) as (81 (q1, (7)), 62(G2, (7,%1)), +--+) 
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Note that we will omit the “< 7”-subscript if it is clear from context, and by 
just writing “configuration”, we mean an n-configuration. 

Notice that A describes a standard semiautomaton D4 over X, whose states 
are the configurations of A of level n, and its transition function is <n. If there 
are up to j states in each level of A, there are up to j” states in D4. Observe that 
when A is a reset cascade, it can be translated to an equivalent reset cascade 
with up to nlog j levels, and 2 states in each level [14, Ex. 1.10.2]. 

For a state q € Q; of level i of a reset cascade, we denote by Enter(q), Stay(q), 
and Leave(q) C X x Qi x +--+ X Qi-1 the sets of (combined) letters that enter 
q, stay in it, and leave it, respectively. These are sets of pairs (a, 9}, where S 
is an (t—1)-configuration and ø € X. Notice that Enter(q) C Stay(q), and that 
Leave(q) is the complement of Stay(q) (w.r.t. the relevant (combined) letters). 

A semiautomaton (X, Q, ð) is homomorphic to a cascade (37,A1,...,An) if 
there exists a partial surjective function y: Qı X +- X Qn > Q, such that for 
every 0 € X and S € Q1 X: X Qn, we have 5(y(5),a) = y(d<n(S, a)). 


Proposition 6 (Part of the Krohn-Rhodes-Holonomy Decomposition 
[14, Corollary II.7.2], [26, Theorem 3]). Every counter-free deterministic 
semiautomaton D with n states is homomorphic to a reset cascade A with up to 
2” levels and 2” states in each level. 


Remark 1. The Krohn-Rhodes and Holonomy decomposition theorems consider 
also more general cascades and give results with respect to arbitrary semiauto- 
mata. The Holonomy decomposition in [14], as opposed to many other proofs 
of the Krohn-Rhodes decomposition, guarantees up to 2” levels with up to 2” 
states in each level. Yet, it shows that A covers D, allowing A to operate over 
an alphabet different from that of D. In [26,27,25], the algebraic proof of [14] is 
translated to an automata-theoretic one, providing the stated homomorphism. 
It is also stated in [26, Theorem 3.1], [27, Corollary 20], and [25, Corollary 2] 
that the number of configurations in A is singly exponential in n, but to the 
best of our understanding they do not provide an explicit proof for it. 


Cascades with acceptance conditions. As a cascade A describes a standard semi- 
automaton (whose states are the configurations of A), we can add to it an initial 
configuration and an acceptance condition to make it a standard deterministic 
automaton. We show below that the homomorphism between an automaton and 
a cascade can be extended to also transfer the same acceptance condition. 


Proposition 7. Let D be a deterministic Büchi, coBtichi or Rabin automaton, 
with a semiautomaton homomorphic to a cascade A. There is respectively a 
deterministic Btichi, coBtichi or Rabin automaton D' equivalent to D with semi- 
automaton A. For Rabin, D and D' have the same number of acceptance pairs. 


Proposition 8. Consider a deterministic Muller automaton D with n states, 
whose semiautomaton is homomorphic to a reset cascade A with m configura- 
tions. Then there is a deterministic Muller automaton D’ equivalent to D, whose 
semiautomaton is A and its Muller condition has up to 2°°"™ acceptance sets. 
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4.2 Encoding Reachability within Reset Cascades by LTL Formulas 


For the rest of this section, let us fix a set of atomic propositions AP, an alphabet 
X = 24? and a reset cascade A = (X, A1, Az,...,An). 


The main reachability formula. For every level i of A, three configurations S, B 
and T of level i, and two LTL formulas p and 7, we will define the LTL formula 
S Ear T (T) with the intended semantics that it holds on a word w € X™ iff 


A goes from the ‘starting’ configuration S to the ‘target’ configuration T along 
some prefix u of w, such that the suffix of w after u satisfies 7 and the path 
along u avoids the ‘bad’ configuration B with a suffix satisfying (. 


Auxiliary reachability formulas. We will formally define the main reachability 
formula by induction on the level i of the involved configurations, and using 
four auxiliary formulas, whose intended semantics is described in Table 1. These 
formulas distinguish between the case that the top-level state is unchanged along 
the reachability path, denoted with a solid arrow —>, and the case that it is 
changed, denoted by a dashed arrow ---+. They also have dual, weak, versions. 


Observe that intuitively S aan T (T) is an extended Until operator, while 


weak 


its dual S ~~) T (T) = 7(S ~~~» B(8)) is an extended Weak until (or Release) 
BA) Fel 


operator. We build the formulas so that for appropriate choices of 8 and 7, the 
(strong) reachability formulas 1, 3, and 5 (as numbered in Table 1) are syntactic 
co-safety and the weak formulas 2 and 4 are syntactic safety formulas. 


Formulas 1 and 2. The main formula is simply defined as the union of two 
auxiliary formulas, corresponding to whether or not the top-level state changes, 
and its weak version is defined to be its dual. 


eae if S = () 


S EEN T(t) := s T(r)VS =r T(r) otherwise. 


SA~T (T): =- (sx B) 

DBAL The) 
Formula 3. Since the formula should ensure that the top-level state s is un- 
changed, we first distinguish between four cases, depending on which of the 
source configuration (S,s), bad configuration (B,b), and target configuration 
(T,t) are equal. The definitions of the four cases only differ in whether or not 
each of 8 and 7 are satisfied in the first position of the word. 

We define them using an intermediate common formula that is indifferent 
to the first position, which we mark by “> 0” on top of the arrow. We then 
define the “> 0” formula by using the main reachability formula with respect 
to a lower level, namely with respect to the configurations S and T instead of 
(S,s) and (T,t), and having corresponding disjunctions and conjunctions on all 
the combined letters of the top level that belong to Stay(s) and Leave(s). 
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Intended semantics 
Reachability formula y | Intuitively: Reading a word w from the configuration S or (S, s} 
Formally: w = yp => 


not reaching B() until reaching T(r). 
L, cleat Ji > 0. Ore a 1 ET 


a reaching T(r) releases not reaching B(8). 
2, S E T (T) Vi > 0. (ô(S, wp..i)) = BN wz5.) = 8) 
> (Aj € [0..2). 6(S, wo.) = T A wy. E 7) 


(B,)(8) until reaching (T,t)(7), while staying in s. 
3. (S,s) ——> (T,t) (r) Ji > 0. 4((S, 8), 
TEWE) 


> 5), W[0. á) = (T,t) A wi.) FT 
A (Wj € [0..2). 6((S, 8), wyo..y) A (B, b) V wy. E B) 
A (Vi € [0..2). (w[y], (8 Wio j)))} € Stay(s)) 


reaching (T, t}(T) releases not (reaching (B, b)( 


Ae) 


) or leaving s). 


L 4 Ty] EDO. (8, 8), wo.) = (B, b) A baa = 8) 
i TESNE) V (i> OA (ot 1], 6(S, wio..i-1))) € Poia ))) 
> (Aj € [0..2). 6 (Shu woo.) = (T,t) A wg. FT) 


not reaching ( 
Jii, i2 > 0. â , S), Wo..i1)) = (T, A Ge. JET 

A (Eji & [0..21) ` (wlji], 6 (S, W0..51) )) € Enter(t)) 

A (wiiz], 50S, wio..i2))) € rier 

A (Yj2 € [0.. ee Lay, 5((S, 8), Wpo..j)) A (B, b) 


Vv Wija..] a B) 


Table 1. The intended semantics of reachability formulas. Orange subformulas show 
the difference between the auxiliary formulas and the first or second (main) formula. 


i — .t) (T if (S,s) 4 (B,b) and (S,s : 
( may OIO (S, 8) # (B,b) (S, 8) # (T, t) 
S,s) —= T,t) (tr) Vr if (S,s B,b) and (S,s) = (T, 
( ama | t) (r) Vv (S, s) # (B, b) (S, 8) = (T,t) 
(S,s) — (T, t) (r) A7B if (S, s) = (B, b) and (S, s) 4 (T, t) 


7 


(is, s) we (T, t) (r) A 8) vr if (S,s) = (B,b) and (S,s) = (T,t) 
where (S, s) a (T,t) (7) = VV (s — ARU T' (o A Xr) 


(o,T’) €Stay(s) 
s.t. (T',s)-%(T,t) 
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A VAN S~a T' (AXT) A VAN Somme T ex) ) 
(n, L) €Leave(s) (p,B’) €Stay(s) B ) 
s.t. (B',s)-&(B,b) 


Formula 4. Its intended semantics is also that the top-level state s is unchanged, 
but we weaken Formula 3 by not enforcing that the target configuration (T, t) is 
reached and 7 is satisfied. Thus as long as the top-level state s stays unchanged 
and the bad configuration (B, b} is not reached while satisfying 6, Formula 4 is 
also satisfied. Note that since both Formula 3 and Formula 4 need to ensure that 
the top-level state s is unchanged they cannot simply be defined as the dual of 
each other. However, they share the same construction principle: 


(8,8) == (T, t) (7) = 
TBI) 
8) 229, (7, 4) (7) if (S, s) # (B,b) and (8, s) # (T,t) 


7 
weak,>0 


CE 
(S,s) 222, (rt) (r) vr if (S, s) # (B,b) and (S,s) = (T,t) 
(S 


, 8) TAG. (T, t) (T) AaB if (S,s) = (B,b) and (S, s} # (T, t) 


(ıs, s) sme (T, t) (r) V r) A-7B if (S,s) = (B,b) and (S, s) = (T, t) 


SARS T' (o AXT) A sgt r eax ) (1) 
v ( A SRM AXA A syay 


(o,T') €Stay(s) ELeave(s) (p,B')eStay(s) P 
s.t. (T’,s)3(T,t) s.t. (B’,s)-%(B,b) 
V ( N SX S(false) A N Sr ats) ) (2) 
(n, L) €Leave(s) De (p, B’) €Stay(s) BARB) 


s.t. (Bs) (B,b) 


Formula 5. The definition of the last reachability formula is the most challenging, 
since the top-level state changes (s Æ t), which prevents the direct usage of lower 
level configurations. 

Intuitively, before reaching the target configuration (T, t}, the run must see a 
combined letter (o,T’) € Enter(t), after which the top-level state t is preserved 
and the bad situation (B,b)(@) is avoided. This is line (1) of the definition. 

The run must also not see (B,b)(3) before reaching T’, which is handled in 
line (2), whose difference from line (1) is the additional constraint on the path 
from S' to T”. (Line (1) is required for the case that Enter(b) is empty.) We use 
Formula 4 for that constraint, rather than Formula 3 which could also be used, 
in order to ensure that Formula 5 can be a syntactic co-safety formula. 
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Lastly, line (3) ensures that the top-level state is indeed changed. 


(ee) Se +(T,t) (T) = 
V Gas (oA x(sr",»),0) ——» (rt) (7))) A (a) 

Eds 

was ROKOTE mE (B:0)(8))) r PNE Toa), ee o) A 

AE A A a 


Leave(s) 


We prove the correctness of the above definitions with respect to the intended 
meaning of Table 1 by induction on the level of the involved configurations. 


Lemma 4. The intended semantics of Table 1 hold for all infinite words w € 
X” = (24P)”. configurations S,B,T of level m < n, states s,b,t in level m+ 1 
(when m <n), and LTL formulas 8 and T over AP. 


Using the same induction principle we prove that the reachability formulas 
stay within certain classes of the syntactic future hierarchy (Definition 1). We 
use S one T(Y) € Z as a shorthand for saying that for every formulas 8 € X 


and 7 € Y, the formula S ~~~» T(r) is in Z. 
BA) 


Lemma 5. Let S, B, T be configurations of level m < n, and let s,b,t be states 
in level m +1 (when m < n). Then for i> 1 it holds that: 


= se T (Xi), (5,8) TL), (T, t) (i), (9,8) ren (T,t) (2) € Xi 


— Sa T (Hi), (S,8) —“ (T, t) (hi) € Ii 
BS TEDN) 


4.3 Depth and Length Analysis 


We analyze the length and temporal-nesting depth of the LTL reachability for- 
mulas defined in Section 4.2. Notice that both measures are of independent 
interest, as there might be a non-elementary gap between the depth and length 
of LTL formulas [15, Theorem 6]. Since we provide upper bounds, the bound on 
the length of formulas obviously gives also a bound on their size. 

We consider a reset cascade A with n levels, as in Section 4.2, and further 
assume for the length and depth analysis that it has up to n states in each level. 
(This assumption holds in the reset cascades that result from the Krohn-Rohdes 
decomposition as per Proposition 6.) 

We define for each of the five reachability formulas a depth function D,(i, d) 
and a length function L,(t,1), where x refers to the number of the reachability 
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formula, to bound the depth and length of the formulas. These depend on the 
level i of its input configurations S,B and T, and the maximal depth d and 
length l of its input formulas 8 and r. For the main (first) reachability formula, 
we also use D and L, standing for Dı and Lı. For example, the length of the first 
formula S sere tg T (T) over configurations S, B and T of level 7 and formulas 6 


and 7 of length up to 77 is bounded by the value of L,(7, 77). 

For simplicity, we consider the LTL representation of an alphabet letter o € X 
to be of length 1, while its actual length is 3 log, |X|. This increase is due to the 
need to encode an alphabet letter o € X = 24? as a conjunction of atomic 
propositions in AP. The representation length can be multiplied by the total 
length of the final relevant formula (e.g., a formula equivalent to the entire reset 
cascade), since it remains constant along all steps of our inductive computation. 

We provide in Table 2 upper bounds on the depth and length functions, rel- 
ative to values of other depth and length functions with respect to configurations 
of the same or lower-by-one level. The table is constructed by following the syn- 
tactic definitions of the reachability formulas, and applying basic simplifications 
to the resulting expressions. For example, L;(0,/) = 2+2I standing for the length 
of (=8)Ur. In Lemma 6 we will use Table 2 to bound the absolute depth and 
length of the main reachability formula. 


Depth Analysis. The temporal nesting depth of the main reachability formula 
S ~~~ T(r) is intuitively exponential in the number n of levels of the reset 


cascade (linear in the number of configurations), since it is defined inductively 
along these levels, and the depth of a level-(¢ + 1) formula is about twice the 
depth of a level-i formula. The parameters of the reachability formula are both 
the configurations S, B and T of level i, and the formulas (6 and 7; yet, the 
depth of the reachability formula only linearly depends on the depth of 8 and 7T. 


Length Analysis. Intuitively, the overall length of the main reachability formula 
S E T (T) with respect to configurations of the top level is doubly exponential 


in the number n of levels of the reset cascade (and thus singly exponential in 
the number of configurations), since the formula is defined inductively along 
these levels, and the length L(i,l) is roughly L(i—1,1)-L(é—1,1). More precisely, 
L(i,l) =l- f(i) for some doubly exponential function f (i). 

Now, why is L(i,l) roughly equal to L(i—1,l) - L(i—1,1)? The dominant 
component of the level-i reachability formula is line (2) in the definition of 
(S, s) Z (T,t) (T). It is a level-(i—1) reachability formula whose formula- 


parameters are themselves auxiliary reachability formulas of level ¿ with formula 
parameters of length l. The length of an auxiliary reachability formula of level 7 is 
roughly as of the main reachability formula of level i—1, implying that the length 
of L; (1) is roughly L;-1(L;_1(1)). By the inductive proof that £;_,(1) = l- f(i—1), 

As for the many disjunctions and conjunctions that appear in the formulas, 
observe that the number of disjuncts and conjuncts does not depend on the 
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Reachability formula y Bounds on depth(y) and length || 
d+1 iic 
Di(i,d) < | Pits 
max(D3(7,d), Ds(i,d)) otherwise. 
1 S~a T (7) 
. 2+ 21 ifi=0 
Lı (i,l) < x P 
1 + L3(i,l) + Ls(i,l) otherwise. 
2 SÆ% T(r) Da(i, d) = Dili, d) 
BAL 


Lə(i, l) =1+ Lı(i,l) 


Ds(i, d) < Dı(i—1,d +1) 

L3(i,l) < 3+2 + |Z |n** (1+Lı(i—1, 3+1)+ 
14 |En! (Li (i-1, 34-1) + 1)+ 

14+ |2|n*~*(Li(é-1, 341) + 1)) 

< 34214 4|5|/?n?@-YL, (i—1, 1+3) 


a Da(i, d) < Do(i-1,d + 1) = Di(i-1,d + 1) 
4. (5,8) ae DOO | Lait) < 8+ 2+ (1+ |E|ni4)(1 + Sn + La(i—1,1+3))) 
< 3+2 +4 Pn DL (i—1,1 + 3) 


Ds (i, d) < Dı(i—1, max(1 + D3(i,d), 1 + D4(i, d))) 
5. (5,8) Ta) (T, t) (7) Ls(i, l) < |5 - (Lı(i— 1,3 + La(i, 1)) + 2+ 
|2]ni} - (Li (i — 1, max(3 + Ls (i,1),3 + La(i,1))) + 1)) 
+14 [5|n'“?- (1+ L3(i,3 + 1) 


Table 2. The relative depths and lengths of the reachability formulas over configura- 
tions of level 7, and LTL formulas 8 and 7 of depth at most d and length at most l. For 
the first two reachability formulas, we consider i > 0 and for the other formulas i > 1. 


formula-parameters 8 and 7, but only the level ¿į of the configurations S, B, and 
T. Hence, they do not dominate the growth rate of the overall formula length. 


Lemma 6. Consider a reset cascade A with n levels and up to n states in each 
level, and a formula ¢ = S ong T (T) with configurations S, B and T of A of 


level i < n. Let d = max(depth( 8), depth(r)) and let l = max(|6|, |r|). Then: 
(a) depth(¢) <d+3' and (b) |¢| <1- G05 n)” 
Lemma 6 is proven by induction on 7 and the details of this proof can be 
found in the full version [5]. 
4.4 Translating Deterministic Counter-Free Automata to LTL 


We use the reachability formulas of Section 4.2 to translate a reset cascade A to 
an equivalent LTL formula. Our LTL formulation of A’s acceptance condition 
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is based on an LTL formulation of “C is visited finitely/infinitely often along 
a run of A on a word w”, for a given configuration C of A. It thus applies 
to every w-regular acceptance condition and by Propositions 6 and 8 to every 
deterministic counter-free w-regular automaton. We introduce two shorthands to 
the main reachability formula: the first is satisfied if we reach T from S without 
any side constraints (which is always satisfied in the case that S = T), and the 
second requires that we reach it along a nonempty prefix. 
S ~~ T := S ~~nn T (true) SRT = V (oA X(5(5,0)~» T)) 
Týfalse) 


S ocx 


With Lemmas 4 and 5 we then obtain (the proof can be found in [5]): 


Lemma 7. Consider a reset cascade A = (24?,A,,...,An) together with an 
initial configuration L and some configuration C. Then for a word w € (24P)”, 
the run of A on w starting in L visits C finitely often iff w satisfies the formula 


Fin(C) = ~(L ~~~ C) VE C(A(C AS C)). Furthermore, Fin(C) € Xə. 
We are now in position to give our main result. 


Theorem 2. Every counter-free deterministic w-regular automaton D over al- 
phabet 24P with n states (and any acceptance condition) is equivalent to an LTL 
formula p over atomic propositions AP of double-exponential temporal-nesting 
depth (in O(2?")) and triple-exponential length (in ey If D is a looping- 
Bichi, looping-coBichi, weak, Büchi, coBüchi, or Muller automaton then p is 
respectively in the ID, X1, A1, Mo, X2, or Ao syntactic fragment of LTL. 


Proof. We first prove the general result, w.r.t. an arbitrary counter-free determ- 
inistic automaton D, and then take into account D’s acceptance condition, to 
establish the last part of the theorem. 

Consider a counter-free deterministic w-regular automaton D with some ac- 
ceptance condition and n states. Recall that there is a Muller automaton D’ equi- 
valent to D over the semiautomaton of D. By Propositions 6 and 8, D’ is equival- 
ent to a deterministic Muller automaton D” that is described by a reset cascade 
A with up to m = 2” levels and m states in each level (and thus up to m™ con- 
figurations), and whose acceptance condition has up to k € 200”) = 20(m™) 
acceptance sets. An LTL formula vy equivalent to D can be defined by formulating 
the acceptance condition of D’ along Lemma 7. 

Recall that the Muller condition is a k-elements disjunction, where each dis- 
junct M is a conjunction of requirements to visit infinitely often every configur- 
ation from some set G and finitely often every configuration not in G. Observe 
that M can be formulated as a disjunction over all the configurations in D” (at 
most m”), having for each configuration C the LTL formula Fin(C) or =Fin(C), 
as defined in Lemma 7, depending on whether or not C € G. Hence, the overall 
formula vy is a combination of disjunctions and conjunctions of up to k-m’” sub- 
formulas of the form F'in(C) or =Fin(C). Therefore, the depth of y is the same 
as of Fin(C), while |p| € O(km™|Fin(C)|) < 200”) | Fin(C)|. For calculating 
depth(Fin(C)) and |Fin(C)|, we use Lemma 6 bottom up over the subformulas 
of Fin(C). 
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Depth. 
depth(lL ~~» C) < 3”; depth(C Z% C) <3"4+1 


depth(t ~~» C(A(C Z~ C))) < 2-3" 41 


depth(Fin(C)) = max(3™, 2-3’ +1) € O(3") = O(2?"), 
implying depth(y) € O(2?"). 


Length. 
JL~~» C| < (005m) ; |C 2S C| < (4|Z]) - (10|Z]2m)4” 
IL ~a~ CHC Z> C))| < ASENET m) € (5m) 


[Fin(C)| € 2+ (10|E 2m)” + (|E|m)2" © (5m). 


Therefore, |p| € 200”) - (m™) - (([E]m)2°°") = |52. 

Expressing the length of p with respect to the number n of states in the 
automaton D, and taking into account the fact that the alphabet X has at most 
n” different letters (any additional letter must have the same behavior as another 
letter), we have: |y| € |5220” < (2208 a 

We now sketch the second part of the theorem connecting the syntactic hier- 
archy and the different acceptance conditions of D. We only consider the cases 
in which D is either a Muller or a coBtichi automaton. The complete analysis 
is given in the full version [5]. If D is a Muller automaton, then the overall for- 
mula vy is in As, since it is a Boolean combination of Fin(C’) formulas, which 
by Lemma 7 belong to X3. If D is a coBiichi automaton, then we construct the 
formula y directly from the coBiichi condition a: y is a conjunction of Fin(C) 
formulas over all configurations C that are mapped to states in a. As Fin(C) 
belongs to X2, so does y. 


Observe that by Theorem 2, we get the following result, extending the result 
of [39, Theorem 3.2] that only considers Rabin automata. 


Corollary 1. Every counter-free deterministic w-regular automaton (with any 
acceptance condition) recognises an LTL-definable language. 


Proof. Recall that every deterministic w-regular automaton is equivalent to a 
deterministic Muller automaton over the same semiautomaton (see, e.g., [3]). 
The claim is then a direct consequence of Theorem 2. 


Remark 2. Theorem 2 can be adapted to the finite-word setting. While on infin- 
ite words, the neXt operator is self-dual, i.e., =X% is equivalent to X77, over 
finite words, this equivalence does not hold on words of length 1. Thus X gains 
a dual weak neat, defined as XW := ~X-). In the finite word case, syntactic 
cosafety (safety) formulas are constructed from true, false, a, ~a, V, ^A, and the 
temporal operators U and X (R. and X). Observe that X and X differ only on 
words of length 1, and thus the only required change in our translation scheme 
is to replace some Xs with Xs in the reachability formula 4. For finite words a 
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translation of a counter-free DFA to an LTL formula with only a double expo- 
nential size blow-up is known [42]; however, unlike our translation, it does not 
guarantee syntactic safety (cosafety) formulas for safety (cosafety) languages. 


Lastly, we provide a corollary on looping automata, using Theorem 2 and 
the following known result. 


Proposition 9 (Rephrased Theorem 13 from [29]). Let D be a determin- 
istic looping-Büchi automaton with n states that recognises an LTL-definable lan- 
guage. Then there exists an equivalent counter-free deterministic looping-Btichi 
automaton D' with at most n states. 


Corollary 2. Every deterministic looping-Btichi (looping-coBtichi) automaton 
with n states that recognises an LTL-definable language is equivalent to an LTL 
formula y € Il, (2) of temporal nesting depth in O(22") and length in 2020, 


This is an elementary upper bound for two constructions for which either the 
upper bound was unknown or non-elementary: the liveness-safety decomposition 
of LTL [29] and the translation of semantic safety LTL to syntactic safety LTL. 


5 Conclusions 


We have studied the size trade-offs between LTL and automata. Over a un- 
ary alphabet, the situation is straightforward and we provided tight complexity 
bounds. The general case of infinite words over an arbitrary alphabet is more 
complex. We gave to our knowledge the first elementary complexity bound on the 
translation of counter-free deterministic w-regular automata into LTL formulas. 
Every w-regular automaton recognising an LTL-definable language can be 
translated to a counter-free deterministic automaton [39, Theorem 3.2]. Yet, we 
are unaware of a bound on the size blow-up involved in such a translation. Once 
established, it can be combined with our translation to get a general bound on 
the translation of automata to LTL. It will also provide a (currently unknown®) 
elementary upper bound on the translation of LTL with both future and past 
operators to LTL with only future operators (which is the version of LTL that we 
have considered), as (both version of) LTL can be translated to nondeterministic 
Biichi automata with a single exponential size blow-up [41, Theorem 2.1]. 
While going from non-elementary to double-exponential depth and triple-ex- 
ponential length is an improvement, these upper bounds might not be tight— 
there is currently no known non-linear lower bound! Closing this gap is a chal- 
lenging open problem, which might require new lower bound techniques for al- 
ternating automata, as LTL formulas are an inherently alternating model. 


Acknowledgements. We thank Moshe Vardi and Orna Kupferman for suggesting 
studying the succinctness gap between semantic and syntactic safe formulas, and 
Mikołaj Bojanczyk for answering our questions on algebraic automata theory. 


ê Tn consultation with the author of [30], we have confirmed that while the lower bound 
provided in that paper holds, the stated upper bound is erroneous. 


158 


U. Boker, K. Lehtinen, S. Sickert 


References 


Ca 


13. 


14. 


15. 


16. 


17. 


18. 


19. 


20. 


21. 


. Birget, J.C.: Two-way automata and length-preserving homomorphisms. Mathem- 


atical Systems Theory 29(3), 191-226 (1996) 

Bojanczyk, M.: Languages recognised by finite semigroups, and their generalisa- 
tions to objects such as trees and graphs, with an emphasis on definability in 
monadic second-order logic (2020) 

Boker, U.: Why these automata types? In: Proc. of LPAR. pp. 143-163 (2018) 
Boker, U., Kupferman, O.: The quest for a tight translation of Biichi to co-Biichi 
automata. In: Fields of Logic and Computation, pp. 147-164. Springer (2010) 
Boker, U., Lehtinen, K., Sickert, S.: On the translation of automata to linear tem- 
poral logic (2022), https: //arxiv.org/abs/2201.10267, full version 

Cerna, I., Pelanek, R.: Relating hierarchy of temporal properties to model checking. 
In: MFCS. Lecture Notes in Computer Science, vol. 2747, pp. 318-327. Springer 
(2003) 

Chandra, A.K., Kozen, D.C., Stockmeyer, L.J.: Alternation. J. ACM 28(1), 114- 
133 (Jan 1981) 

Chang, E.Y., Manna, Z., Pnueli, A.: Characterization of temporal property classes. 
In: Kuich, W. (ed.) Automata, Languages and Programming, 19th International 
Colloquium, ICALP92, Vienna, Austria, July 13-17, 1992, Proceedings. Lecture 
Notes in Computer Science, vol. 623, pp. 474-486. Springer (1992) 

Chrobak, M.: Finite automata and unary languages. Theoretical Computer Science 
47, 149-158 (1986) 


. Cohen, J., Perrin, D., Pin, J.E.: On the expressive power of temporal logic. Journal 


of computer and System Sciences 46(3), 271-294 (1993) 


. Cohen-Chesnot, J.: On the expressive power of temporal logic for infinite words. 


Theoretical Computer Science 83(2), 301-312 (1991) 


. Colcombet, T., Zdanowski, K.: A tight lower bound for determinization of trans- 


ition labeled Biichi automata. In: International Colloquium on Automata, Lan- 
guages, and Programming. pp. 151-162. Springer (2009) 

Diekert, V., Gastin, P.: First-order definable languages. In: Logic and Automata: 
History and Perspectives [in Honor of Wolfgang Thomas]. Texts in Logic and 
Games, vol. 2, pp. 261-306 (2008) 

Eilenberg, S.: Automata, Languages, and Machines Volume B. Academic Press, 
Inc., USA (1976) 

Etessami, K., Vardi, M.Y., Wilke, T.: First-order logic with two variables and 
unary temporal logic. Inf. Comput. 179(2), 279-295 (2002) 

Gabbay, D., Pnueli, A., Shelah, S., Stavi, J.: On the temporal analysis of fairness. 
In: Proc. of POPL. p. 163-173. New York, NY, USA (1980) 

Geffert, V., Mereghetti, C., Pighizzini, G.: Complementing two-way finite auto- 
mata. Information and Computation 205(8), 1173-1187 (2007) 

Kamp, J.A.W.: Tense logic and the theory of linear order. University of California, 
Los Angeles (1968) 

Kupferman, O., Rosenberg, A.: The blowup in translating LTL to deterministic 
automata. In: Proc. of Model Checking and Artificial Intelligence. pp. 85-94 (2010) 
Kupferman, O., Ta-Shma, A., Vardi, M.Y.: Counting with automata. In: Proc. of 
LICS (1999) 

Kupferman, O., Vardi, M.Y.: Weak alternating automata are not that weak. ACM 
Transactions on Computational Logic (TOCL) 2(3), 408-429 (2001) 


22. 


23. 


24. 


25. 


26. 


27. 


28. 


29. 


30. 


31. 


32. 


33. 


34. 


35. 


36. 


37. 


38. 


39. 


40. 


41. 


42. 


On the Translation of Automata to Linear Temporal Logic 159 


Ladner, R.E.: Application of model theoretic games to discrete linear orders and 
finite automata. Information and Control 33(4), 281-303 (1977) 

Leiss, E.: Succinct representation of regular languages by boolean automata. The- 
oretical computer science 13(3), 323-330 (1981) 

Löding, C.: Optimal bounds for transformations of w-automata. In: Rangan, C.P., 
Raman, V., Ramanujam, R. (eds.) Foundations of Software Technology and The- 
oretical Computer Science. pp. 97-109. Springer Berlin Heidelberg, Berlin, Heidel- 
berg (1999) 

Maler, O.: On the Krohn-Rhodes cascaded decomposition theorem. In: Time for 
Verification, Essays in Memory of Amir Pnueli. Lecture Notes in Computer Science, 
vol. 6200, pp. 260-278. Springer (2010) 

Maler, O., Pnueli, A.: Tight bounds on the complexity of cascaded decomposition 
of automata. In: Proc. of FOCS. pp. 672-682 (1990) 

Maler, O., Pnueli, A.: On the cascaded decomposition of automata, its complexity 
and its application to logic. Unpublished. Available at: http: //www-verimag.imag. 
fr/~maler/Papers/decomp.pdf (1994) 

Manna, Z., Pnueli, A.: A hierarchy of temporal properties. In: PODC. pp. 377—410. 
ACM (1990) 

Maretic, G.P., Dashti, M.T., Basin, D.A.: LTL is closed under topological closure. 
Inf. Process. Lett. 114(8), 408-413 (2014) 

Markey, N.: Temporal logic with past is exponentially more succinct. Bull. EATCS 
79, 122-128 (2003) 

McNaughton, R., Papert, S.A.: Counter-Free Automata (MIT research monograph 
no. 65). The MIT Press (1971) 

Michel, M.: Complementation is more difficult with automata on infinite words. 
CNET, Paris 15 (1988) 

Muller, D.E., Saoudi, A., Schupp, P.E.: Weak alternating automata give a simple 
explanation of why most temporal and dynamic logics are decidable in exponential 
time. In: Proceedings Third Annual Symposium on Logic in Computer Science. pp. 
422-423. IEEE Computer Society (1988) 

Perrin, D.: Recent results on automata and infinite words. In: International Sym- 
posium on Mathematical Foundations of Computer Science. pp. 134-148. Springer 
(1984) 

Safra, S.: Complexity of automata on infinite objects. Ph.D. thesis, Weizmann 
Institute, Rehovot, Israel (1989) 

Schewe, S.: Biichi Complementation Made Tight. In: Albers, S., Marion, J.Y. (eds.) 
Proc. of 26th International STACS. Leibniz International Proceedings in Inform- 
atics (LIPIcs), vol. 3, pp. 661-672 (2009) 

Sickert, S., Esparza, J.: An efficient normalisation procedure for linear temporal 
logic and very weak alternating automata. In: LICS. pp. 831-844. ACM (2020) 
Thomas, W.: Star-free regular sets of w-sequences. Information and Control 42(2), 
148-156 (1979) 

Thomas, W.: A combinatorial approach to the theory of w-automata. Information 
and Control 48(3), 261-283 (1981) 

Thomas, W.: Automata on infinite objects. In: Formal Models and Semantics, pp. 
133-191. Elsevier (1990) 

Vardi, M., Wolper, P.: An automata-theoretic approach to automatic program 
verification. In: Proc. of LICS. pp. 332-344 (1986) 

Wilke, T.: Classifying discrete temporal properties. In: Annual symposium on the- 
oretical aspects of computer science. pp. 32-46. Springer (1999) 


160 U. Boker, K. Lehtinen, S. Sickert 


43. Wilke, T.: Past, present, and infinite future. In: 48rd International Colloquium 
on Automata, Languages, and Programming (ICALP 2016). Schloss Dagstuhl- 
Leibniz-Zentrum fuer Informatik (2016) 

44. Wilke, T.: Backward deterministic Biichi automata on infinite words. In: 37th 
IARCS Annual Conference on Foundations of Software Technology and Theor- 
etical Computer Science (FSTTCS 2017). Schloss Dagstuhl-Leibniz-Zentrum fuer 
Informatik (2018) 

45. Wolper, P.: Temporal logic can be more expressive 56(1—2), 72-99 (1983) 

46. Zuck, L.D.: Past Temporal Logic. Ph.D. thesis, The Weizmann Institute of Science, 
Israel (Aug 1986) 


Open Access This chapter is licensed under the terms of the Creative Commons 
Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), 
which permits use, sharing, adaptation, distribution and reproduction in any medium 
or format, as long as you give appropriate credit to the original author(s) and the 
source, provide a link to the Creative Commons license and indicate if changes were 
made. 

The images or other third party material in this chapter are included in the chapter’s 
Creative Commons license, unless indicated otherwise in a credit line to the material. If 
material is not included in the chapter’s Creative Commons license and your intended 
use is not permitted by statutory regulation or exceeds the permitted use, you will need 
to obtain permission directly from the copyright holder. 


Categorical composable cryptography* 


Anne Broadbent® and Martti Karvonen(®)® 


Department of Mathematics and Statistics, University of Ottawa, Ottawa, Canada 
{abroadbe ,martti.karvonen}@uottawa.ca 


Abstract. We formalize the simulation paradigm of cryptography in 
terms of category theory and show that protocols secure against abstract 
attacks form a symmetric monoidal category, thus giving an abstract 
model of composable security definitions in cryptography. Our model 
is able to incorporate computational security, set-up assumptions and 
various attack models such as colluding or independently acting subsets 
of adversaries in a modular, flexible fashion. We conclude by using string 
diagrams to rederive the security of the one-time pad and no-go results 
concerning the limits of bipartite and tripartite cryptography, ruling out 
e.g., composable commitments and broadcasting. 


Keywords: Cryptography - composable security - quantum cryptogra- 
phy - category theory 


1 Introduction 


Modern cryptographic protocols are complicated algorithmic entities, and their 
security analyses are often no simpler than the protocols themselves. Given this 
complexity, it would be highly desirable to be able to design protocols and reason 
about them compositionally, i.e., by breaking them down into smaller constituent 
parts. In particular, one would hope that combining protocols proven secure 
results in a secure protocol without need for further security proofs. However, this 
is not the case for stand-alone security notions that are common in cryptography. 
To illustrate such failures of composability, let us consider the history of quantum 
key distribution (QKD), as recounted in [60]: QKD was originally proposed in 
the 80s [7]. The first security proofs against unbounded adversaries followed 
a decade later [8, 49, 50,64]. However, since composability was originally not a 
concern, it was later realized that the original security definitions did not provide 
a good enough level of security [42|—they didn’t guarantee security if the keys 
were to be actually used, since even a partial leak of the key would compromise 
the rest. The story ends on a positive note, as eventually a new security criterion 
was proposed, together with stronger proofs [5, 62]. 

In this work we initiate a categorical study of composable security definitions 
in cryptography. In the viewpoint developed here one thinks of cryptography 
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as a resource theory: cryptographic functionalities (e.g. secure communication 
channels) are viewed as resources and cryptographic protocols let one transform 
some starting resources to others. For instance, one can view the one-time-pad as 
a protocol that transforms an authenticated channel and a shared secret key into 
a secure channel. For a given protocol, one can then study whether it is secure 
against some (set of) attack model(s), and protocols secure against a fixed set 
of models can always be composed sequentially and in parallel. 


This is in fact the viewpoint taken in constructive cryptography [47], which 
also develops the one-time-pad example above in more detail. However [47] does 
not make a formal connection to resource theories as usually understood, whether 
as in quantum physics [16,39], or more generally as defined in order theoretic [32] 
or categorical [20] terms. Instead, constructive cryptography is usually combined 
with abstract cryptography [48] which is formalized in terms of a novel algebraic 
theory of systems [46]. 


Our work can be seen as a particular formalization of the ideas behind con- 
structive cryptography, or alternatively as giving a categorical account of the 
real-world-ideal-world paradigm (also known as the simulation paradigm [34]), 
which underlies more concrete frameworks for composable security, such as uni- 
versally composable cryptography [13] and others [2,3,38, 43, 44, 51,58]. We will 
discuss these approaches and abstract and constructive cryptography in more 
detail in Section 1.1 


Our long-term goal is to enable cryptographers to reason about composable 
security at the same level of formality as stand-alone security, without having 
to fiz all the details of a machine model nor having to master category the- 
ory. Indeed, our current results already let one define multipartite protocols 
and security against arbitrary subsets of malicious adversaries in any symmetric 
monoidal category C. Thus, as long as one’s model of interactive computation 
results in a symmetric monoidal category, or more informally, one is willing to 
use pictures such as fig. 1d to depict connections between computational pro- 
cesses without further specifying the order in which the picture was drawn, one 
can use the simulation paradigm to reason about multipartite security against 
malicious participants composably—and specifying finer details of the compu- 
tational model is only needed to the extent that it affects the validity of one’s 
argument. Moreover, as our attack models and composition theorems are fairly 
general, we hope that more refined models of adversaries can be incorporated. 


We now highlight our contributions to cryptography: We show how to adapt 
resource theories as categorically formulated [20] in order to reason abstractly 
about secure transformations between resources. This is done in Section 3 by 
formalizing the simulation paradigm in terms of an abstract attack model (Def- 
inition 1), designed to be general enough to capture standard attack models 
of interest (and more) while still structured enough to guarantee composabil- 
ity. This section culminates in Corollary 1, which shows that for any fixed set 
of attack models, the class of protocols secure against each of them results in a 
symmetric monoidal category. In Theorem 3 we observe that under suitable con- 
ditions, images of secure protocols under monoidal functors remain secure, which 
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gives an abstract variant of the lifting theorem [68, Theorem 15] that states that 
perfectly UC-secure protocols are quantum UC-secure. We adapt this framework 
to model computational security in two ways: either by replacing equations with 
an equivalence relation, abstracting the idea of computational indistinguishabil- 
ity, as is done in section 4, or by working with a notion of distance, deferred to 
a full version. In the case of a distance, one can then either explicitly bound the 
distance between desired and actually achieved behavior, or work with sequences 
of protocols that converge to the target in the limit: the former models working 
in the finite-key regimen [67] and the latter models the kinds of asymptotic se- 
curity and complexity statements that are common in cryptography.Finally, we 
apply the framework developed to study bipartite and tripartite cryptography. 
We first prove pictorially the security of the one-time pad. We then reprove the 
no-go-theorems of [46, 48,61] concerning two-party commitments (resp. three- 
party broadcasting) in this setting, and reinterpret them as limits on what can 
be achieved securely in any compact closed category (resp. symmetric monoidal 
category). The key steps of the proof are done graphically, thus opening the door 
for cryptographers to use such pictorial representations as rigorous tools rather 
than merely as illustrations. 

Moreover, we discuss some categorical constructions capturing aspects of 
resource theories appearing in the physics literature. These contributions may be 
of independent interest for further categorical studies on resource theories. In [20] 
it is observed that many resource theories arise from an inclusion Cr —> C of free 
transformations into a larger monoidal category, by taking the resource theory 


of states. We observe that this amounts to applying the monoidal Grothendieck 
hom(J,— 
construction [53] to the functor Cr > C hom), Set. This suggests applying 


this construction more generally to the composite of monoidal functors F: D > 
C and R: C —> Set. In Example 1 we note that choosing F to be the n-fold 
monoidal product C” — C captures resources shared by n parties and n-partite 
transformations between them. In the extended version, we model categorically 
situations where there is a notion of distance between resources, and instead 
of exact resource conversions one either studies approximate transformations or 
sequences of transformations that succeed in the limit. In the extended version, 
we discuss a variant of a construction on monoidal categories, used in special 
cases in [31] and discussed in more detail in [23,33], that allows one to declare 
some resources free and thus enlarge the set of possible resource conversions. 


1.1 Related work 


We have already mentioned that cryptographers have developed a plethora of 
frameworks for composable security, such as universally composable cryptogra- 
phy [13], reactive simulatability [2,3,58] and others [38, 43, 44,51]. Moreover, 
some of these frameworks have been adapted to the quantum setting [6, 54, 68]. 
One might hence be tempted to think that the problem of composability in 
cryptography has been solved. However, it is fair to say that most mainstream 
cryptography is not formulated composably and that composable cryptography 
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has yet to realize its full potential. Moreover, this proliferation of frameworks 
should be taken as evidence of the continued importance of the issue, and is in 
fact reflected by the existence of a recent Dagstuhl seminar on this matter [12]. 
Indeed, the aforementioned frameworks mostly consist of setting up fairly de- 
tailed models of interacting machines, which as an approach suffers from two 
drawbacks: Firstly, in order to be more realistic, the detailed models are often 
complicated, both to reason in terms of and to define, thus making practicing 
cryptographers less willing to use them. Perhaps more importantly it is not al- 
ways clear whether the results proven in a particular model apply more generally 
for other kinds of machines, whether those of a competing framework or those in 
the real world. It is true that the choice of a concrete machine model does affect 
what can be securely achieved—for instance, quantum cryptography differs from 
classical cryptography and similarly classical cryptography behaves differently 
in synchronous and asynchronous settings [4,40]. Nevertheless, one might hope 
that composable cryptography could be done at a similar level of formality as 
complexity theory, where one rarely worries about the number of tapes in a Tur- 
ing machine or of other low-level details of machine models. Second, changing 
the model slightly (to e.g., model different kinds of adversaries or to incorporate 
a different notion of efficiency) often requires reproving “composition theorems” 
of the framework or at least checking that the existing proof is not broken by 
the modification. 


In contrast to frameworks based on detailed machine models, there are two 
closely related top-down approaches to cryptography: constructive cryptogra- 
phy [47] and its cousin abstract cryptography [48]. We are indebted to both 
of these approaches, and indeed our framework could be seen as formalizing 
the key idea of constructive cryptography—namely, cryptography as a resource 
theory—and thus occupying a similar space as abstract cryptography. A key 
difference is that constructive cryptography is usually instantiated in terms of 
abstract cryptography [48], which in turn is based on a novel algebraic theory of 
systems [46]. However, our work is not merely a translation from this theory to 
categorical language, as there are important differences and benefits that stem 
from formalizing cryptography in terms of a well-established and well-studied 
algebraic theory of systems—that of (symmetric) monoidal categories: 


The fact that cryptographers wish to compose their protocols sequentially and 
in parallel strongly suggests using monoidal categories, that have these composi- 
tion operations as primitives. In our framework, protocols secure against a fixed 
set of attack models results in a symmetric monoidal category. In contrast, the 
algebraic theory of systems [46] on which abstract cryptography is based takes 
parallel composition and internal wiring as its primitives. This design choice re- 
sults in some technical kinks and tangles that are natural with any novel theory 
but have already been smoothed out in the case of category theory. For instance, 
in the algebraic theory of systems of [46] the parallel composition is a partial 
operation and in particular the parallel composite of a system with itself is never 
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defined! and the set of wires coming out of a system is fixed once and for all?. 
In contrast, in a monoidal category parallel composition is a total operation and 
whether one draws a box with n output wires of types A;,... An or single output 
wire of type @j_, A; is a matter of convenience. Technical differences such as 
these make a direct formal comparison or translation between the frameworks 
difficult, even if informally and superficially there are similarities. 

We do not abstract away from an attacker model, but rather make it an 
explicit part of the formalism that can be modified without worrying about 
composability. This makes it possible to consider and combine very easily dif- 
ferent security properties, and in particular paves the way to model attackers 
with limited powers such as honest-but-curious adversaries. In our framework, 
one can first fix a protocol transforming some resource to another one, and then 
discuss whether this transformation is secure against different attack models. In 
contrast, in abstract cryptography a cryptographic resource is a tuple of func- 
tionalities, one for each set of dishonest parties, and thus has no prior existence 
before fixing the attack model. This makes the question “what attack models is 
this protocol secure against?” difficult to formalize. 

As category theory is de facto the lingua franca between several subfields of 
mathematics and computer science, elucidating the categorical structures present 
in cryptography opens up the door to further connections between cryptography 
and other fields. For instance, game semantics readily gives models of interactive, 
asynchronous and probabilistic (or quantum) computation [18, 19,69] in which 
our theory can be instantiated, and thus further paves the way for programming 
language theory to inform cryptographic models of concurrency. 

Category theory comes with existing theory, results and tools that can readily 
be applied to questions of cryptographic interest. In particular, the graphical 
calculi of symmetric monoidal and compact closed categories [63] enables one 
to rederive impossibility results shown in [46, 48,61] purely pictorially. In fact, 
such pictures were already often used as heuristic devices that illuminate the 
official proofs, and viewing these pictures categorically lets us promote them 
from mere illustrations to rigorous yet intuitive proofs. Indeed, in [48, Footnote 
27| the authors suggest moving from a 1-dimensional symbolic presentation to a 
2-dimensional one, and this is exactly what the graphical calculus achieves. 

The approaches above result in a framework where security is defined so as 
to guarantee composability. In contrast, approaches based on various protocol 
logics [25-30] aim to characterize situations where composition can be done 
securely, even if one does not use composable security definitions throughout. 
As these approaches are based on process calculi, they are categorical under the 
hood [52,55] even if not overtly so. There is also earlier work explicitly discussing 


1 While the suggested fix is to assume that one has “copies” of the same system with 
disjoint wire labels, it is unclear how one recognizes or even defines in terms of the 
system algebra that two distinct systems are copies of each other. 

? Indeed, while [59] manages to bundle and unbundle ports along isomorphism when 
convenient, it seems like the chosen technical foundation makes this more of a strug- 
gle than it should be. 
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category theory in the context of cryptography [9, 10,21, 22,35-37, 41, 56,57, 65, 
66], but they concern stand-alone security of particular cryptographic protocols, 
rather than categorical aspects of composable security definitions. 


2 Resource theories 


We briefly review the categorical viewpoint on resource theories of [20]. Roughly 
speaking, a resource theory can be seen as a SMC but the change in termi- 
nology corresponds to a change in viewpoint: usually in category theory one 
studies global properties of a category, such as the existence of (co)limits, re- 
lationships to other categories, etc. In contrast, when one views a particular 
SMC C as resource theory, one is interested in local questions. One thinks of 
objects of C as resources, and morphisms as processes that transform a resource 
to another. From this point of view, one mostly wishes to understand whether 
homce(X,Y) is empty or not for resources X and Y of interest. Thus from the 
resource-theoretic point of view, most of the interesting information in C is al- 
ready present in its preorder collapse. As concrete examples of resource-theoretic 
questions, one might wonder if (i) some noisy channels can simulate a (almost) 
noiseless channel [20, Example 3.13.], (ii) there is a protocol that uses only local 
quantum operations and classical communication and transforms a particular 
quantum state to another one [17], (iii) some non-classical statistical behavior 
can be used to simulate other such behavior [1]. In [20] the authors show how 
many familiar resource theories arise in a uniform fashion: starting from an SMC 
C of processes equipped with a wide sub-SMC Cp, the morphisms of which cor- 
respond to “free” processes, they build several resource theories (=SMCs). Per- 
haps the most important of these constructions is the resource theory of states: 
given Cr © C, the corresponding resource theory of states can be explicitly 
constructed by taking the objects of this resource theory to be states of C, i.e., 
maps r: I + A for some A, and maps r > s are maps f: A > B in Cp that 
transform r to s as in fig. la. 

We now turn our attention towards cryptography. As contemporary cryptog- 
raphy is both broad and complex in scope, any faithful model of it is likely to be 
complicated as well. A benefit of the categorical idiom is that we can build up to 
more complicated models in stages, which is what we will do in the sequel. We 
phrase our constructions in terms of an arbitrary SMC C, but in order to model 
actual cryptographic protocols, the morphisms of C should represent interactive 
computational machines with open “ports”, with composition then amounting 
to connecting such machines together. Different choices of C set the background 
for different kinds of cryptography, so that quantum cryptographers want C to 
include quantum systems whereas in classical cryptography it is sufficient that 
these computational machines are probabilistic. Constructing such categories C 
in detail is not trivial but is outside our scope—we will discuss this in more 
detail in section 6. 

Our first observation is that there is no reason to restrict to inclusions 
Cyr © C in order to construct a resource theory of states. Indeed, while it 


Categorical composable cryptography 167 


is straightforward to verify explicitly that the resource theory of states is a sym- 
metric monoidal category, it is instructive to understand more abstractly why 


this is so: in effect, the constructed category is the category of elements of the 
P hom(I,—) ` z à 
composite functor Cp — C ————> Set. As this composite is a (lax) symmet- 


ric monoidal functor, the resulting category is automatically symmetric monoidal 
as observed in [53]. Thus this construction goes through for any symmetric (lax) 


monoidal functors D Æ C Æ Set. Here we may think of F as interpreting 
free processes into an ambient category of all processes, and R: C > Set as an 
operation that gives for each object A of C the set R(A) of resources of type A. 


Explicitly, given symmetric monoidal functors D SER Set, the category 
of elements f RF has as its objects pairs (r, A) where A is an object of D and 
r € RF(A), the intuition being that r is a resource of type F(A). A morphism 
(r,A) > (s, B) is given by a morphism f: A > B in D that takes r to s, 
i.e., satisfies RF (f)(r) = s. The symmetric monoidal structure comes from the 
symmetric monoidal structures of D, Set and RF. Somewhat more explicitly, 
(r, A) ® (s, B) is defined by (r ® s, A & B) where r & s is the image of (r,s) 
under the function RF(A) x RF(B) > RF(A® B) that is part of the monoidal 
structure on RF, and on morphisms of f RF the monoidal product is defined 
from that of D. 

From now on we will assume that F is strong monoidal, and while R = 
hom(J,—) captures our main examples of interest, we will phrase our results for 
an arbitrary lax monoidal R. This relaxation allows us to capture the n-partite 
structure often used when studying cryptography, as shown next. 

: P Q hom(I,—) 

Example 1. Consider the resource theory induced by C” — C ————> Set, 
where we write Q for the n-fold monoidal product. The resulting resource 
theory has a natural interpretation in terms of n agents trying to transform 
resources to others: an object of this resource theory corresponds to a pair 
(4i); r: I > Q 4i), and can be thought of as an n-partite state, depicted 
in fig. 1b, where the ith agent has access to a port of type A;. A morphism f = 
(fi,--- fn): (Ai) 1,7) > ((Bi)1, s) between such resources then amounts to 
a protocol that prescribes, for each agent i a process f; that they should perform 
so that r gets transformed to s as in fig. 1c. 


In this resource theory, all of the agents are equally powerful and can perform 
all processes allowed by C, and this might be unrealistic: first of all, C might 
include computational processes that are too powerful/expensive for us to use 
in our cryptographic protocols. Moreover, having agents with different computa- 
tional powers is important to model e.g., blind quantum computing [11] where a 
client with access only to limited, if any, quantum computation tries to securely 
delegate computations to a server with a powerful quantum computer. This lim- 
itation is easily remedied: we could take the ith agent to be able to implement 
computations in some sub-SMC C; of C, and then consider Ii C—C. 


3 As C is symmetric, the functor @ is strong monoidal. 
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(a) A map f in the 
resource theory of (b) An mn-partite (c) An _ n-partite (d) Factorization of 
states state transformation an attack on f ®g 


Fig. 1: Some resource transformations 


A more serious limitation is that such transformations have no security 
guarantees—they only work if each agent performs f; as prescribed by the pro- 
tocol. We fix this next. 


3 Cryptography as a resource theory 


(a) Attack by the par- (b) Security against the (c) Security against the 
ties k+1,...,n parties k+1,...,n initial attack 


Fig. 2: Attacks and security constraints 


In order for a protocol f = (fi,..-,fn): ((Aiy@1)7) > ((Bi)™1,8) to be 
secure, we should have some guarantees about what happens if, as a result of an 
attack on the protocol, something else than (f1,..., fn) happens. For instance, 
some subset of the parties might deviate from the protocol and do something 
else instead. In the simulation paradigm [34], security is then defined by saying 
that, anything that could happen when running the real protocol, i.e., f with 
r, could also happen in the ideal world, i.e., with s. A given protocol might be 
secure against some kinds of attacks and insecure against others, so we define 
security against an abstract attack model. This abstract notion of an attack 
model is one of the main definitions of our paper. It isolates conditions needed 
for the composition theorem (Theorem 1). It also captures our key examples 
that we use to illustrate the definition after giving it. Note that most proofs are 
deferred to an extended version. 


Definition 1. An attack model A on an SMC C consists of giving for each 
morphism f of C a class A(f) of morphisms of C such that 
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(i) f E€ A(f) for every f. 

(ii) For any f: A —> B and g: B > C and composable g’ € A(g), f’ € ACIP) 
we have g'o f' € A(go f). Moreover, any h E€ A(go f) factorizes as g'o f' 
with g' € A(g) and F € A(f). 

(iii) For any f: A > B, g: C > D in C and f' € A(f),g' € A(g) we have 
f' @g' € A(f Qg). Moreover, any h € A(f 8 g) factorizes as h'o (f’ 8g") 
with f’ € A(f), g' € A(g) and h’ € A(idggp). 


Let f: (A,r) > (B, s) define a morphism in the resource theory |f RF induced by 
F: D — C and R: C — Set. We say that f is secure against an attack model 
A on C (or A-secure) if for any f’ € A(F(f)) with dom(f’) = F(A) there is 
b € Alidp(g)) with dom(b) = F(B) such that R(f')r = R(b)s. 


The above definition of security asks for perfect equality and corresponds to 
information-theoretic security in cryptography. This is often too much to hope 
for, and we will replace this by an equivalence relation in section 4 and by a 
notion of distance in an extended version. 

The intuition is that A gives, for each process in C, the set of behaviors that 
the attackers could force to happen instead of honest behavior. In particular, 
A(idg) give the set of behaviors that is available to attackers given access to 
a system of type B. Then property (i) amounts to the assumption that the 
adversaries could behave honestly. The first halves of properties (ii) and (iii) 
say that, given an attack on g and one on f, both attacks could happen when 
composing g and f sequentially or in parallel. The second parts of these say 
that attacks on composite processes can be understood as composites of attacks. 
However, note that (iii) does not say that an attack on a product has to be 
a product of attacks: the factorization says that any h € A(g @ f) factorizes 
as in fig. 1d with g’ € A(g), f’ € A(f) and h’ € A(idgap). The intuition is 
that an attacker does not have to attack two parallel protocols independently 
of each other, but might play the protocols against each other in complicated 
ways. This intuition also explains why we do not require that all morphisms in 
A(f) have F(A) as their domain, despite the definition of A-security quantifying 
only against those: when factoring h € A(go f) as g'o f’ with g’ € A(g) and 
f! € A(f), we can no longer guarantee that F'(B) is the domain of g’—perhaps 
the attackers take us elsewhere when they perform f’. 

If one thinks of F: D — C as representing the inclusion of free processes 
into general processes, one also gets an explanation why we do not insist that 
free processes and attacks live in the same category, i.e., that F = idc. This is 
simply because we might wish to prove that some protocols are secure against 
attackers that can use more resources than we wish or can use in the protocols. 


Example 2. For any SMC C there are two trivial attack models: the minimal 
one defined by A(f) = {f} and the maximal one sending f to the class of all 
morphisms of C. We interpret the minimal attack model as representing honest 
behavior, and the maximal one as representing arbitrary malicious behavior. 
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Proposition 1. If A,,...,A, are attack models on SMCs C1,...,Cn respec- 
tively, then there is a product [[j_,Ai attack model on JJ; Ci; defined by 


Thi ADi- fn) = Ta: 


This proposition, together with the minimal and maximal attack models, is 
already expressive enough to model multi-party computation where some subset 


of the parties might do arbitrary malicious behavior. Indeed, consider the n- 


hom(I,— 
partite resource theory induced by C” = C AU, Set. Let us first model a 


situation where the first n — 1 participants are honest and the last participant 
is dishonest. In this case we can set A = [[;—; A; where each of A1,..., An—1 
is the minimal attack model on C and A, is the maximal attack model. Then, 
an attack on f = (fi,--- fn): ((4:)1;r) —> ((Bi)%1,8) can be represented 
by the first n — 1 parties obeying the protocol and the n-th party doing an 
arbitrary computation a, as depicted in the two pictures of fig. 2a, where [n] := 
{1,... n}, (k,n] := {k+1,...n}, Flia := Cy fi, and here k = n—1. The latter 
representation will be used when we do not need to emphasize pictorially the fact 
that the honest parties are each performing their own individual computations. 

If instead of just one attacker, there are several independently acting adver- 
saries, we can take A = [];"_, A; where A; is the minimal or maximal attack 
structure depending on whether the ith participant is honest or not. If the set 
of dishonest parties can collude and communicate arbitrarily during the process, 
we need the flexibility given in Definition 1 and have the attack structure live 
in a different category than where our protocols live. For simplicity of notation, 
assume that the first k agents are honest but the remaining parties are mali- 
cious and might do arbitrary (joint) processes in C. In particular, the action 
done by the dishonest parties k + 1,...,n need not be describable as a product 
® 44.1 (ai) of individual actions. In that case we define A as follows: we first con- 


x ae id*x@ hom(I,— 
sider our resource theory as arising from C” ——> C* x C 2c Ial, Set, 


and define A on C* x C as the product of the minimal attack model on C* and 
the maximal one on C. Concretely, this means that the first k agents always 
obey the protocol, but the remaining agents can choose to perform arbitrary 
joint behaviors in C. Then a generic attack on a protocol f can be represented 
exactly as before in fig. 2a, except we no longer insist that k = n — 1. Nowa 
protocol f is A-secure if for any a with dom(a) = (A;)?_,,, there is a b with 
dom(b) = (B;)?_;,,1 satisfying the equation of fig. 2b. 

If one is willing to draw more wire crossings, one can easily depict and de- 
fine security against an arbitrary subset of the parties behaving maliciously, and 
henceforward this is the attack model we have in mind when we say that some 
n-partite protocol is secure against some subset of the parties. Moreover, for any 
subset J of dishonest agents, one could consider more limited kinds of attacks: 
for instance, the agents might have limited computational power or limited abil- 
ities to perform joint computations—as long as the attack model satisfies the 
conditions of Definition 1 one automatically gets a composable notion of secure 
protocols by Theorem 1 below. 
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Theorem 1. Given symmetric monoidal functors F: D —> C, R: C > Set 
with F strong monoidal and R lax monoidal, and an attack model A on C, 
the class of A-secure maps forms a wide sub-SMC of the resource theory | RF 
induced by RF. 


So far we have discussed security only against a single, fixed subset of dishon- 
est parties, while in multi-party computation it is common to consider security 
against any subset containing e.g., at most n/3 or n/2 of the parties. However, 
as monoidal subcategories are closed under intersection, we immediately obtain 
composability against multiple attack models. 


Corollary 1. Given a non-empty family of functors (D 2 Ci ai Set) ier 
with RiF; = Rj Fj =: R for all i,j € I and attack models A; on C; for each i, 
the class of maps in f R that is secure against each A; is a sub-SMC of f R. 


Using Corollary 1 one readily obtains composability of protocols that are simul- 
taneously secure against different attack models A;. Thus one could, in principle, 
consider composable cryptography in an n-party setting where some subsets are 
honest-but-curious, some might be outright malicious but have limited compu- 
tational power, and some subsets might be outright malicious but not willing or 
able to coordinate with each other, without reproving any composition theorems. 
While the security definition of f quantifies over A(f), which may be infinite, 
under suitable conditions it is sufficient to check security only on a subset of 
A(f), so that whether f is A-secure often reduces to finitely many equations. 


Definition 2. Given f: A —> B, a subset X of A(f) is said to be initial if 
any f’ € A(f) with dom(f’) = A can be factorized as boa with a € X and 
bE A(idg). 


Theorem 2. Let f: (A,r) > (B,s) define a morphism in the resource theory 
induced by F: D> C and R: C —> Set and let A be an attack model on C. If 
X C A(F(f)) is initial, then f is A-secure if, and only if the security condition 
holds against attacks in X, i.e., if for any f! € X with dom(f’) = F(A) there is 
b € Alidp(g)) such that R(f')r = R(b)s. 


Let us return to the example of C” — C with the first k agents being honest and 
the final n — k dishonest and collaborating. Then we can take a singleton as our 
initial subset of attacks on f, and this is given by fx] 8 (Q;-p41 id). Intuitively, 
this represents a situation where the dishonest parties k+1,...,n merely stand 
by and forward messages between the environment and the functionality, so that 
initiality can be seen as explaining “completeness of the dummy adversary” [13, 
Claim 11] in UC-security. In this case the security condition can be equivalently 
phrased by saying that there exists b € A([id,]) satisfying the equation of fig. 2c, 
which reproduces the pictures of [51]. Similarly, for classical honest-but-curious 
adversaries one usually only considers the initial such adversary, who follows the 
protocol otherwise except that they keep track of the protocol transcript. 


Theorem 3. In the resource theory of n-partite states, if (fi,...fn) is secure 
against some subset J of |n] and F is a strong monoidal, then (F fı,..., F fn) ts 
secure against J as well. 
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For instance, if the inclusion of classical interactive computations into quantum 
ones is strong monoidal, i.e., respects sequential and parallel composition (up to 
isomorphism), then unconditionally secure classical protocols are also secure in 
the quantum setting, as shown in the context of UC-security in [68, Theorem 
15]. More generally, this result implies that the construction of the category of 
n-partite transformations secure against any fixed subset of [n] is functorial in 
C, and this is in fact also true for any family of subsets of [n] by Corollary 1. 


4 Computational security 


The discussion above has been focused on perfect security, so that the equations 
defining security hold exactly. This is often too high a standard for security to 
hope for, and consequently cryptographers routinely work with computational 
or approximate security. We model this in two ways. The first approach replaces 
equations with an equivalence relation abstracting from the idea that the end 
results are “computationally indistinguishable” rather than strictly equal. The 
latter approach amounts to working in terms of a (pseudo) metric quantifying how 
close we are to the ideal resource and is needed to model statements in finite-key 
cryptography [67]. The typical metric is given by “distinguisher advantage for 
polynomial-time environments”, enabling one to use computational complexity 
theory. In a nutshell, this amounts to working with sequences of protocols and 
defining security by saying “for any € > 0, for sufficiently large n, for any attack 
on the nth protocol there is an attack on the target resource such that the end 
results are within €e”. The first approach is mathematically straightforward and 
we discuss it next, while the second approach is relegated to an extended version. 

Replacing strict equations with equivalence relations is easy to describe on 
an abstract level as an instance of the theory so far: one just assumes that C has 
a monoidal congruence ~% and then works with the resource theory induced by 


hom(I,— 
C > C/x am ), Set with similar attack models as above. More explicitly, 
as long as each hom-set of C is equipped with an equivalence relation ~ that 
respects @ and o in that f = f’ and g ~ g' imply gf ~ g’f’ (whenever de- 


fined) and g@ f ~ g' Q f’, then working with C” > C/x hom), Set results 
in security conditions that replace = in C with ~ throughout. If C describes 
(interactive) computational processes and ~% represents computational indistin- 
guishability (inability for any “efficient” process to distinguish between the two), 
one might need to replace C (and consequently functionalities, protocols and at- 
tacks on them) with the subcategory of C of efficient processes so that ~ indeed 
results in a congruence. 


5 Applications 


We will now explore how the one-time pad (OTP) fits into our framework, paral- 
leling the discussion of OTP in [47]. We will start from the category FinStoch of 
finite sets and stochastic maps between them, with & given by cartesian product 
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of sets. This is sufficient for OTP, even if more complicated and interactive cryp- 
tographic protocols will need a different starting category. However, the actual 
category C we work in is built from FinStoch, essentially by a tripartite variant 
of the “resource theory of universally-combinable processes” of [20, Section 3.4]. 
We will defer the detailed construction of C to an extended version and work in 
it more heuristically, allowing us to focus on the OTP. 

Roughly speaking, a “basic object” of C consists of finite sets A;,B;, E; for 
i = 1,2, and of a map f: A; ® By ® Eı > A2 Q B2 ® Ea in FinStoch, depicted 
in fig. 3a. The intuition is that ((A;, Bi, EiJic{1,2}, f) represents a box shared 


A, By Fy 


(a) Box shared by (b) The OTP proto- 
Alice, Bob and Eve col (c) A secure PRNG (d) Secure channel 


Fig. 3: Some resources and protocols 


by Alice, Bob and Eve, with Alice’s inputs and outputs ranging over A; and 
Ag respectively, and similarly for Bob and Eve. We will often label the ports 
just by the party who controls it, and omit labeling trivial ports. For example, 
if fig. 4a depicts the copy map X —> X & X for some set X in FinStoch, then 


Yvo ae 


(b) Alice’s copy (c) Alice broadcast- (d) Random shared 
(a) The copy map map ing to Bob and Eve key 


Fig. 4: Variants of the copy map 


fig. 4b denotes an object of C representing Alice copying data privately, whereas 
fig. 4c denotes an object C that sends Alice’s input unchanged to Bob and to 
Eve—which we view as an insecure (but authenticated) channel from Alice to 
Bob. 

A general object of C then consists of a list of such basic objects, representing 
a list of such resources shared between Alice, Bob and Eve. A morphism of C is 
roughly speaking a way of using the starting resources and local computation by 
the three parties to produce the target resources: a more formal description will 
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be given in an extended version. In our attack model Alice and Bob are honest 
but Eve is dishonest, so she might do arbitrary local computation instead of 
whatever our protocols might prescribe. 

In the version of the OTP we discuss, our starting resources consist of an 
insecure but authenticated channel* from Alice to Bob as in fig. 4c and (i.e., 8) 
of a random key over the same message space, shared by Alice and Bob (fig. 4d). 
The goal is to build a secure channel from Alice to Bob (fig. 3d) from these. 

The local ingredients of OTP and the axioms they obey are depicted in fig. 5 
and correspond to a Hopf algebra with an integral in a SMC. Any finite group 
gives rise to such a structure in FinStoch, with the integral given by the uniform 
distribution. Concretely, this means that Alice and Bob must agree on a group 
structure on the message space, and the fact that this multiplication forms a 
group and that the key is random can be captured by the equations of fig. 5. 


aay SY 
ns 


Fig. 5: Local ingredients of OTP and the axioms they obey 


The OTP protocol is then depicted in fig. 3b, i-e., Alice adds the key to her 
message, broadcasts it to Eve and Bob. Eve deletes her part and Bob adds the 
inverse of the key to the ciphertext to recover the message. 

To show that the protocol is secure, note that Eve has an initial attack given 
by just reading the ciphertext. The pictorial security proof is depicted in fig. 6. 
The first equation is the interaction between multiplication and copying, the 
second uses (co)associativity, the third one properties of inverses, the fourth and 
last one use unitality, and the fifth one follows from the key being random. Taken 
together, these show that Eve’s initial attack is equal to her just producing a 
random message herself with Alice and Bob sharing the target resource. The 
correctness of the protocol can be proven similarly. Thus OTP gives a map 
shared key ® authenticated channel — secure channel that is secure against Eve. 

We now use this example to illustrate the use of the composition theorems. 
A major drawback of OTP, despite its perfect security, is the fact that one needs 
a key that is as long as the message. In practice, Alice and Bob might only 
share a short key and wish to promote it a long key. If they agree on a pseudo- 
random number generator (PRNG) with their key as the seed, they can map 
the short key to a longer key. If the PRNG is computationally secure, then the 
end-result is (computationally) indistinguishable from a long key, depicted in 


4 Tf the insecure channel allows Eve to tamper with the message, the analysis changes. 
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Fig. 6: Security proof of OTP 


fig. 3c, where ~% stands for computational indistinguishability. We envision the 
computational security of the chosen PRNG to be proven “the usual way” and 
not graphically—after all, we believe that our framework is there to supplement 
ordinary cryptographic reasoning and not to replace it. The PRNG then results 
in a (computationally) secure way of promoting a short shared key into a long 
shared key, and then the composition theorems guarantee that these protocols 
can be composed, resulting in the security of the stream cipher. 

Composable security is a stronger constraint than stand-alone security, and 
indeed many cryptographic functionalities are known to be impossible to achieve 
“in the plain model”, i.e., without set-up assumptions. A case in point is bit 
commitment, which was shown to be impossible in the UC-framework in [14]. 
This result was later generalized in [61] to show that any two-party functionality 
that can be realized in the plain UC-framework is “splittable”. While the authors 
of [61] remark that their result applies more generally than just to the UC- 
framework, this wasn’t made precise until [48]°. We present a categorical proof 
of this result in our framework, which promotes the pictures “illustrating the 
proof” in [61] into a full proof—the main difference is that in [61] the pictures 
explicitly keep track of an environment trying to distinguish between different 
functionalities, whereas we prove our result in the case of perfect security and 
then deduce the asymptotic claim. 

We now assume that C, our ambient category of interactive computations is 
compact closed®. As we are in the 2-party setting, we take our free computations 


5 Except that in their framework the 2-party case seems to require security constraints 
also when both parties cheat. 

6 We do not view this as overtly restrictive, as many theoretical models of concurrent 
interactive (probabilistic/quantum) computation are compact closed [18, 19, 69]. 
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to be given by C?, and we consider two attack models: one where Alice cheats 
and Bob is honest, and one where Bob cheats and Alice is honest. We think of 
V as representing a two-way communication channel, but this interpretation is 
not needed for the formal result. 


Theorem 4. For Alice and Bob (one of whom might cheat), if a bipartite func- 
tionality r can be securely realized from a communication channel between them, 
i.e., from Y, then there is a g such that 


YH 


Proof. If a protocol (fa, fg) achieves this, security constraints give us s4, SB 


Corollary 2. Given a compact closed C modeling computation in which wires 
model communication channels, (composable) bit commitment and oblivious trans- 
fer are impossible in that model without setup, even asymptotically in terms of 
distinguisher advantage. 


Proof. If r represents bit commitment from Alice to Bob, it does not satisfy 
the equation required by Theorem 4 for any g, and the two sides of (x) can be 
distinguished efficiently with at least probability 1/2. Indeed, take any f and 
let us compare the two sides of (x): if the distinguisher commits to a random 
bit b, then Bob gets a notification of this on the left hand-side, so that f has to 
commit to a bit on the right side of (x) to avoid being distinguished from the 
left side. But this bit coincides with b with probability at most 1/2, so that the 
difference becomes apparent at the reveal stage. The case of OT is similar. 


We now discuss a similar result in the tripartite case, which rules out building 
a broadcasting channel from pairwise channels securely against any single party 
cheating. In [46] comparable pictures are used to illustrate the official, symboli- 
cally rather involved, proof, whereas in our framework the pictures are the proof. 
Another key difference is that [46] rules out broadcasting directly, whereas we 
show that any tripartite functionality realizable from pairwise channels satisfies 


some equations, and then use these equations to rule out broadcasting. 
hom(I,— 
Formally, we are working with the resource theory given by C? 2g PAU 


Set where C is an SMC, and reason about protocols that are secure against three 
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kinds of attacks: one for each party behaving dishonestly while the rest obey the 
protocol. Note that we do not need to assume compact closure for this result, 
and the result goes through for any state on A & A shared between each pair of 
parties: we will denote such a state by V by convention. 


Theorem 5. If a tripartite functionality r can be realized from each pair of par- 
ties sharing a state V, securely against any single party, then there are simulators 
84,8B,8c such that 


eo ae 


Proof. Any tripartite protocol building on top of each pair of parties sharing V 
can be drawn as in the left side of 


Consider now the morphism in C depicted on the right: it can be seen as the 
result of three different attacks on the protocol (fA, fp, fo) in C?: one where 
Alice cheats and performs f4 and fg (and the wire connecting them), one where 
Bob performs fg twice, and one where Charlie performs fg and fc. The security 
of (fa, fB, fc) against each of these gives the required simulators. 


Corollary 3. Given a SMC C modeling interactive computation, and a state V 
on AQA modeling pairwise communication, it is impossible to build broadcasting 
channels securely (even asymptotically in terms of distinguisher advantage) from 
pairwise channels. 


Proof. We show that a channel r that enables Bob to broadcast an input bit to 
Alice and Charlie never satisfies the required equations for any s4, spB,sc. In- 
deed, assume otherwise and let the environment plug “broadcast 0” and “broad- 
cast 1” to the two wires in the middle. The leftmost picture then says that Charlie 
receives 1, the rightmost picture implies that Alice gets 0 and the middle picture 
that Alice and Bob get the same output (if anything at all)—a contradiction. In- 
deed, one cannot satisfy all of these simultaneously with high probability, which 
rules out an asymptotic transformation. 


6 Outlook 


We have presented a categorical framework providing a general, flexible and 
mathematically robust way of reasoning about composability in cryptography. 
Besides contributing a further approach to composable cryptography and poten- 
tially helping with cross-talk and comparisons between existing approaches [12], 
we believe that the current work opens the door for several further questions. 
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First, due to the generality of our approach we hope that one can, besides 
honest and malicious participants, reason about more refined kinds of adversaries 
composably. Indeed, we expect that Definition 1 is general enough to capture 
e.g., honest-but-curious adversaries’. It would also be interesting to see if this 
captures even more general attacks, e.g., situations where the sets of participants 
and dishonest parties can change during the protocol. This might require un- 
derstanding our axiomatization of attack models more structurally and perhaps 
generalizing it. Does this structure (or a variant thereof) already arise in cate- 
gory theory? While we define an attack model on a category, perhaps one could 
define an attack model on a (strong) monoidal functor F’, the current definition 
being recovered when F = id. 


Second, we expect that rephrasing cryptographic questions categorically would 
enable more cross-talk between cryptography and other fields already using cate- 
gory theory as an organizing principle. For instance, many existing approaches to 
composable cryptography develop their own models of concurrent, asynchronous, 
probabilistic and interactive computations. As categorical models of such com- 
putation exist in the context of game semantics [18,19,69], one is left wondering 
whether the models of the semanticists’ could be used to study and answer cryp- 
tographic questions, or conversely if the models developed by cryptographers 
contain valuable insights for programming language semantics. 


Besides working inside concrete models—which ultimately blends into “just 
doing composable cryptography” —one could study axiomatically how properties 
of a category relate to cryptographic properties in it. As a specific conjecture in 
this direction, one might hope to talk about honest-but-curious adversaries at 
an abstract level using environment structures [21], that axiomatize the idea of 
deleting a system. Similarly, having agents purify their actions is an important 
tool in quantum cryptography [45]—can categorical accounts of purification [15, 
21,24] elucidate this? 


Finally, we hope to get more mileage out of the tools brought in with the cat- 
egorical viewpoint. For instance, can one prove further no-go results pictorially? 
More specifically, given the impossibility results for two and three parties, one 
wonders if the “only topology matters” approach of string diagrams can be used 
to derive general impossibility results for n parties sharing pairwise channels. 
Similarly, while diagrammatic languages have been used to reason about posi- 
tive cryptographic results in the stand-alone setting [9,10,41], can one push such 
approaches further now that composable security definitions have a clear cate- 
gorical meaning? Besides the graphical methods, thinking of cryptography as a 
resource theory suggests using resource-theoretic tools such as monotones. While 
monotones have already been applied in cryptography [70], a full understanding 
of cryptographically relevant monotones is still lacking. 


T Heuristically speaking this is the case: an honest-but-curious attack on go f should be 
factorizable as one on g and one on f, and similarly an honest-but-curious attack on 
g® f should be factorisable into ones on g and f that then forward their transcripts 
to an attack on id @ id. 
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Abstract. We introduce a formal language for specifying dynamic up- 
dates for Software Defined Networks. Our language builds upon Network 
Kleene Algebra with Tests (NetKAT) and adds constructs for synchro- 
nisations and multi-packet behaviour to capture the interaction between 
the control- and data-plane in dynamic updates. We provide a sound and 
ground-complete axiomatisation of our language. We exploit the equa- 
tional theory and provide an efficient method for reasoning about safety 
properties. We implement our equational theory in DyNetiKAT — a tool 
prototype, based on the Maude Rewriting Logic and the NetKAT tool, 
and apply it to a case study. We show that we can analyse the case study 
for networks with hundreds of switches using our tool prototype. 
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1 Introduction 


Software-Defined Networking (SDN) is an approach to networking that enables 
the network to be centrally programmed. There is a spectrum of mathematically 
inspired network programming languages that varies between those with a small 
number of language constructs and those with expressive language design which 
allow them to support more networking features. Flowlog [16] and Kinetic [12] 
are points on the more expressive side of the spectrum, which provide support 
for formal reasoning based on SAT-solving and model checking, respectively. 
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NetKAT [3,10] is an example of a minimalist language based on Kleene algebra 
with tests that has a sound and complete equational theory. While the core of 
the language is very simple with a few number of operators, the language has 
been extended in various ways to support different aspects of networking such as 
congestion control [9], history-based routing [6] and higher-order functions [20]. 


Our starting point is NetK AT, because it provides a clean and analysable 
framework for specifying SDNs. The minimalist design of NetK AT does not cater 
for some common (failure) patterns in SDNs, particularly those arising from dy- 
namic reconfiguration and the interaction between the data- and control-plane 
flows. In [13], the authors have proposed an extension to NetKAT to support 
stateful network updates. The extension embraces the notion of mutable state 
which is in contrast to the pure functional nature of the language. The pur- 
pose of this paper is to propose an extension of NetKAT to support dynamic 
and stateful behaviours. On the one hand, we preserve the big-step denotational 
semantics of NetKAT-specific constructs enabling, for instance, handling flow 
table updates atomically, in the spirit of [17]. On the other hand, we extend 
NetKAT in a modular fashion, to integrate concurrent SDN behaviours such as 
dynamic updates, defined via a small-step operational semantics. To this end, 
we pledge to keep the minimalistic design of NetK AT by adding only a few new 
operators. Furthermore, our extension does not contradict the nature of the lan- 
guage. DyNetKAT is a conservative extension [2] of NetK AT that enables reusing 
in a modular fashion frameworks previously developed for NetK AT. Examples 
include the NetKAT axiomatisation in [3], for instance. 


A number of concurrent extensions of NetK AT have been introduced to date 
[11,18,21]. These extensions followed different design decisions than the present 
paper and a comparison of their approaches with ours is provided in Section 2; 
however, the most important difference lies in the fact that inspired by earlier 
abstractions in this domain [17], we were committed to create different layers 
for data-plane flows and dynamic updates such that every data-plane packet 
observes a single set of flow tables through its flight through the network. This 
allowed us, unlike the earlier approaches, to build a layer on top of NetKAT 
without modifying its semantics. Although our presentation in this paper is 
based on NetKAT, we envisage that our concurrency layer can be modularly (in 
the sense of Modular SOS [14]) used for other network programming languages 
in the above-mentioned spectrum. We leave a more careful investigation of the 
modularity on other network languages for future work. 


Running Example. To illustrate our language concepts, we focus on modelling 
with DyNetKAT an example of a stateful firewall that involves dynamically 
updating the flow table. The example is overly simplified for the purpose of 
presentation. Towards the end of this paper and also in the extended version [7], 
we treat more complex and larger-scale case studies to evaluate the applicability 
and analysability of our language. 

A firewall is supposed to protect the intranet of an organisation from unau- 


thorised access from the Internet. However, due to certain requests from the 
intranet, it should be able to open up connections from the Internet to intranet. 
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Fig. 1: Stateful Firewall 


An example is when a user within the intranet requests a secure connection to a 
node on the Internet; in that case, the response from the node should be allowed 
to enter the intranet. The behaviour of updating the flow tables with respect to 
some events in the network such as receiving a specific packet is a challenging 
phenomenon for languages such as NetKAT. 

Figure 1 shows a simplified version of the stateful firewall network. Note that 

we are not interested in the flow of packets but interested in the flow update. 
In this version, the Switch does not allow any packet from the port est to int 
at the beginning. When the Host sends a request to the Switch it opens up the 
connection. 
Our Contributions. The contributions of this paper are summarised as fol- 
lows. (a) We define the syntax and operational semantics of a dynamic exten- 
sion of NetKAT that allows for modelling and reasoning about control-plane 
updates and their interaction with data-plane flows (Sections 2.3, 2.4). (b) We 
give a sound and ground-complete axiomatisation of our language (Section 3). 
(c) We devise analysis methods for reasoning about flow properties using our ax- 
iomatisation, apply them on examples from the domain and gather and analyse 
evidence of applicability and efficiency for our approach (Sections 4, 5, 6). 


2 Language Design 


In what follows, we provide a brief overview of the NetKAT syntax and seman- 
tics [3]. Then, we motivate our language design decisions, we introduce the syn- 
tax of DyNetKAT and its underlying semantics, and provide the corresponding 
encoding of our running example. 


2.1 Brief Overview of NetKAT 


We proceed by first introducing some basic notions used throughout the paper. 


Definition 1 (Network Packets.) Let F = {fi,..., fn} be a set of field nam- 
es fi witht € {1,...n}. We call network packet a partial function in F > N that 
maps field names in F to values inN. We use o,o’ to range over network packets. 
We write, for instance, o(f;) = vi to denote a test checking whether the value of 
fi ino is v;i. Furthermore, we write o[f; := n;] to denote the assignment of f; to 
vi ina. A (possibly empty) list of packets is defined as a partial function from 
natural numbers to packets, where the natural number in the domain denotes 
the position of the packet in the list such that the domain of the function forms 
an interval starting from 0. The empty list is denoted by () and is defined as 
the empty function (the function with the empty set as its domain). Let o be a 
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packet and l be a list, then o :: L is the list l’ in which o is at position 0 in l’, 
e., U(0) =a, and l'(i +1) = l(i), for alli in the domain of L. 


NetKAT Syntax: 
Pr:=0|1|f=n|Pr+Pr|Pr-Pr|-aPr 
N := Pr| f n| N+N|N-N | N*|dup 


NetKAT Semantics: 


[1] (h) = {h} [p- a] (h) = (iel fal) h) 
[o](n) = m er [p*] A = a F” (h) 
A o::h} if o =n F? (h) fh 
Pe E A otherwixe F (h) © ([p] e F*) (h) 
[a] (h) = {h}\ [a] h) (feg)(x) = Ulaly ) |y € f@)} 
[f = n] (oh) Ê folf := n]::h} [dup] (o::h) = {0::(0::h)} 
[p + a] (h) = 


{o 
[p] (>) U [al (A) 
Fig. 2: NetK AT: Syntax and Semantics [3] 


In Figure 2, we recall the NetKAT syntax and semantics [3]. The predicate 
for dropping a packet is denoted by 0, while passing on a packet (without any 
modification) is denoted by 1. The predicate checking whether the field f of a 
packet has value n is denoted by (f = n); if the predicate fails on the current 
packet it results on dropping the packet, otherwise it will pass the packet on. 
Disjunction and conjunction between predicates are denoted by Pr+Pr and Pr- 
Pr, respectively. Negation is denoted by ~Pr. Predicates are the basic building 
blocks of NetKAT policies and hence, a predicate is a policy by definition. The 
policy that modifies the field f of the current packet to take value n is denoted by 
(f <n). A multicast behaviour of policies is denoted by N+N, while sequencing 
policies (to be applied on the same packet) are denoted by N - N. The repeated 
application of a policy is encoded as N*. The construct dup simply makes a 
copy of the current network packet. 

In [3], lists of packets are referred to as histories. Let H stand for the set of 
packet histories, and P(H) denote the powerset of H. More formally, the denota- 
tional semantics of NetK AT policies is inductively defined via the semantic map 
[-] : N — (H > P(H)) in Figure 2, where N stands for the set of NetKAT 
policies, h € H is a packet history, a € Pr denotes a NetKAT predicate and 
o € F +N is a network packet. 

For a reminder, the equational axioms of NetKAT include the Kleene Algebra 
axioms, Boolean Algebra axioms and the so-called Packet Algebra axioms that 
handle NetKAT networking specific constructs such as field assignments and 
dup. In this paper, we write Ey to denote the NetKAT axiomatisation [3]. 


2.2 Design Decisions 


Our main motivation behind DyNetKAT is to have a minimalist language that 
can model control-plane and data-plane network traffic and their interaction. 
Our choice for a minimal language is motivated by our desire to use our lan- 
guage as a basis for scalable analysis. We would like to be able to compile major 
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practical languages into ours. Our minimal design helps us reuse much of the 
well-known scalable analysis techniques. Regarding its modelling capabilities, 
we are interested in modelling the stateful and dynamic behaviour of networks 
emerging from these interactions. We would like to be able to model control mes- 
sages, connections between controllers and switches, data packets, links among 
switches, and model and analyse their interaction in a seamless manner. 


Based on these motivations, we start off with NetK AT as a fundamental and 
minimal network programming language, which allows us to model the basic 
policies governing the network traffic. The choice of NetKAT, in addition to 
its minimalist nature, is motivated by its rigorous semantics and equational 
theory, and the existing techniques and tools for its analysis. This motivates 
our next design constraint, namely, to build upon NetKAT in a hierarchical 
manner and without redefining its semantics. This constraint should not be 
taken lightly as the challenges in the recent concurrent extensions of NetKAT 
demonstrated [11, 18,21]. We will elaborate on this point, in the presentation 
of our syntax and semantics. We can achieve this thanks to the abstractions 
introduced in the domain [17] that allow for a neat layering of data-plane and 
control-plan flows such that every data-plane flow sees one set of flow-tables in 
its flight through the network. 


We introduce a few extensions and modifications to cater for the phenomena 
we desire to model in our extension regarding control-plane and dynamic and 
stateful behaviour, as follows. (a) Parallel composition and synchronisation: we 
introduce a basic mechanism for parallel composition based on handshake syn- 
chronisation with the possibility of communicating a network program (a flow 
table). The point of adding parallel composition is to have parallel controllers 
and switches as separate syntactic entities: controllers trigger reconfigurations 
and switches accept different types of reconfiguration and change their continu- 
ation accordingly. (b) Guarded recursion: we introduce the concept of recursion 
to model the (persistent) dynamic changes that result from control messages 
and stateful behaviour. In other words, recursion is used to model the new state 
of the flow tables. An alternative modelling construct could have been using 
“global” variables and guards, but we prefer recursion due to its neat algebraic 
representation. We restrict the use of recursion to guarded recursion, that is a 
policy should be applied before changing state to a new recursive definition, in 
order to remain within a decidable and analyse-able realm. A natural extension 
of our framework could introduce formal parameters and parameterised recur- 
sive variables; this future extension is orthogonal to our existing extensions and 
in this paper, we go for a minimal extension in which the parameters are coded 
in variable names. (c) Multi-packet semantics: we introduce the semantics of 
treating a list of packets, which is essential for studying the interaction between 
control- and data plane packets. This is in contrast with NetKAT where a single- 
packet semantics is introduced. The introduction of multi-packet semantics also 
called for a new operator to denote the end of applying a flow-table to the cur- 
rent packet and proceeding with the next packet (possibly with the modified 
flow-table in place). This is our new sequential composition operator, denoted 
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by “;”. Inspired by the abstractions in the software defined networking commu- 
nity [17], we assume each packet is processed either using the configuration in 
place prior to the update, or the configuration in place after the update, but 
never a mixture of the two. 


2.3 DyNetKAT Syntax 


As already mentioned, NetK AT provides the possibility of recording the indi- 
vidual “hops” that packets take as they go through the network by using the 
so-called dup construct. The latter keeps track of the state of the packet at 
each intermediate hop. As a brief reminder of the approach in [3]: assume a 
NetKAT switch policy p and a topology t, together with an ingress in and 
an egress out. Checking whether out is reachable from in reduces to checking: 
in - dup- (p-t-dup)*- out Æ 0 (see Definition 2 and Theorem 4 in [3]). Fur- 
thermore, as shown in [10], dup plays a crucial role in devising the NetKAT 
language semantics in a coalgebraic fashion, via Brzozowski-like derivatives on 
top of NetKAT coalgebras (or NetKAT automata) corresponding to NetKAT 
expressions. 

We decided to depart from NetKAT in this respect, due to our important 
constraint not to redefine the NetKAT semantics: the dup expression allows for 
observable intermediate steps that result from incomplete application of flow- 
tables and in concurrency scenarios, the same data packet may become subject 
to more than one flow table due to the concurrent interactions with the control 
plane. For this semantics to be compositional, one needs to define a small step 
operational semantics in such a way that the small steps in predicate evaluation 
also become visible (see our past work on compositionality of SOS with data 
on such constraints [15]). This will first break our constraint in building upon 
NetK AT semantics and secondly, due to the huge number of possible interleav- 
ings, make the resulting state-space intractable for analysis. 

In addition to the argumentation above, note that similarly to the approach 
in [3], we work with packet fields ranging over finite domains. Consequently, our 
analyses can be formulated in terms of reachability properties, further verifiable 
by means of dup-free expressions of shape: in - (p- t)* - out # 0. Hence, we 
chose to define DyNetKAT synchronisation, guarded recursion and multi-packet 
semantics on top of the dup-free fragment of NetK AT, denoted by NetKAT~@"P, 

The syntax of DyNetKAT is defined on top of the dup-free fragment of 
NetKAT as: 

N ::= NetKATT P 
D:=1|N;D|2?N;D|2!N;D|D||D|D@D|X (1) 
X4D 

We write p € NetKAT, p € NetKAT~ YP or, respectively, p € DyNetKAT in 
order to refer to a NetKAT, NetKAT~@"? or, respectively, DyNetKAT policy p. 

The DyNetKAT-specific constructs are as follows. By | we denote a dummy 
policy without behaviour. Our new sequential composition operator, denoted by 
N:D, specifies when the NetKAT~@"P policy N is applicable to the current 
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packet has come to a successful end and, thus, the packet can be transmitted 
further and the next packet can be fetched for processing according to the rest 
of the policy D. 

Communication in DyNetKAT, encoded via z!N; D and «?N; D, consists of 
two steps. In the first place, sending and receiving NetKAT~@"? policies through 
channel zx are denoted by x! N, and z? N. In an expression such as z? N; Py, the 
combination of the channel name x and the update type N, determine how the 
continuation process Py, considering N as a placeholder in Py, enables defining 
compositional and compact parameterised DyNetKAT specifications. Secondly, 
as soon as the sending or receiving messages are successfully communicated, a 
new packet is fetched and processed according to D. The parallel composition 
of two DyNetKAT policies (to enable synchronisation) is denoted by D || D. 

As it will become clearer in Section 2.4, communication in DyNetKAT guar- 
antees preservation of well-defined behaviours when transitioning between net- 
work configurations. This corresponds to the so-called per-packet consistency 
in [17], and it guarantees that every packet traversing the network is processed 
according to exactly one NetKAT~@"P policy. 

Non-deterministic choice of DyNetKAT policies is denoted by D @ D. For 
a non-determinstic choice over a finite domain P, we use the syntactic sugar 
®pepP’, where p appears as “bound variable” in P’; this is interpreted as a sum 
of finite summand by replacing the variable p with all its possible values in P. 

Finally, one can use recursive variables X in the specification of DyNetKAT 
policies, where each recursive variable should have a unique defining equation 
X £ D. For the simplicity of notation, we do not explicitly specify the trailing 
“ |” in our policy specifications, whenever clear from the context. 

In Figure 3 we provide the DyNetKAT formalisation of the firewall in Ex- 
ample 1. In the DyNetKAT encoding, we use the message channel secConReq to 
open up the connection and secConEnd to close it. We model the behaviour of 
the switch using the two programs Switch and Switch’. 


Switch=((port = int) - (port + ext)) ; Switch® 


((port = ext) - 0) ; Switch® Host&secConReq!1 ; Host® 

secConReq?1 ; Switch’ secConEnd!1 ; Host 
Switch'=((port = int) - (port + eaxt)) ; Switch'® 

((port = ext) - (port + int)) ; Switch’® Init Host || Switch 


secConEnd?1 ; Switch 
Fig. 3: Stateful Firewall in DyNetKAT 


2.4 DyNetKAT Semantics 


The operational semantics of DyNetKAT in Figure 4 is provided over configu- 
rations of shape (d, H, H’), where d stands for the current DyNetKAT policy, H 
is the list of packets to be processed by the network according to d and H’ is the 
list of packets handled successfully by the network. The rule labels y range over 
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(cpol”,) ae [pl] (o::()) (cpol ) (p, Ho, Hı) > (p', Ho, Hi) A 
E o,o" gj 
(p;q,0 : H, H’) ar) (q, H, :: H’) (X, Ho, Hı) — (p', H6, Hi) 
, Ho, Hi) > (p', Hi, Hi , Ho, Hi) 2> (p', Hi, H! 
(cpol_g) (p 0 o). at ? - Sh 1 (cpol_})) (p 0; 0) z p 1 D 
(pD q, Ho, H6) = (p , Hı, Hy) (plla, Ho, Hb) =a (p lla, Hı, Hi) 
(cpol.) z e ?,! 
(x © p;q, H, H') = (4, H, H’) l : 
(cpolag) eH) 24°, (q, HLH’) (s, H, H') 22% (s',H, H’) 1 
(alls, H, H’) ZES, (¢'\\s', H, H’) k= a=? 


y = (0,0) | alg | £?q | refg(x, q) 
Fig. 4: DyNetKAT: Operational Semantics (relevant excerpt) 


pairs of packets (o,0’) or communication/reconfiguration-like actions of shape 
x!q, x?q or refg(x,q), depending on the context. 


Note that the DyNetKAT semantics is devised in a “layered” fashion. Rule 
(cpol”,) in Figure 4 is the base rule that makes the transition between the 
NetKAT denotations and DyNetKAT operations. More precisely, whenever ø’ 
is a packet resulted from the successful evaluation of a NetK AT policy p on o, 
a (o,0’)-labelled step is observed at the level of DyNetKAT. This transition 
applies whenever the current configuration encapsulates a DyNetKAT policy of 
shape p;q and a list of packets to be processed starting with o. The resulting 
configuration continues with evaluating q on the next packet in the list, while ø’ 
is marked as successfully handled by the network. 


The remaining rules in Figure 4 define non-deterministic choice ©, synchro- 
nisation || and recursion X in the standard fashion. Note that synchronisations 
leave the packet lists unchanged. Moreover, we choose not to hide the channel 
x and the policy p being communicated (as it is usually the case in ACP), but 
rather keep this information visible outside the SDN being modelled, by means of 
the label rcfg(x, p). Due to space limitation, we omitted the explicit definitions 
of the symmetric cases for ® and ||. The full semantics is provided in [7]. 


In Figure 5 we depict a labelled transition system (LTS) encoding a pos- 
sible behaviour of the stateful firewall in Example 1. We assume the list of 
network packets to be processed consists of a “safe” packet c; travelling from 
int to ext (i.e., o;(port) = int) followed by a potentially “dangerous” packet 
oe travelling from ezt to int (i.e., oe(port) = ext). For the simplicity of no- 
tation, in Figure 5 we write H for Host, S for Switch, S’ for Switch’, SCR 
for secConReq and SCE for secConEnd. Note that oe can enter the network 
only if a secure connection request was received. More precisely, the transition 
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labelled (o-,0;) is preceded by a transition labelled SCR?1 or rcefg(SCR, 1): 
SCR?1, refg(SCR,1) (oe,0%) 
n2 > n3 > n4. 


SCE!1,rcfg(SCE,1) 
SCE!1,SCR!1 SCE!1,SCR!1 


Q SCR!1, Q 


rcfg(SCR,1) 7 
n2 : (H||S, oe::(), ce: c ns : (HIIS, oe: l), Oe 22() 


(Ge, gi) 


(Ti, oe) 4 


na: (Al|S", 0, rioel 


scorn, | | sce, 
refg(SCR,1) refg(SCE,1) 
Y 
SCE!, 
refg(SCE,1) nı : (H||S', ioe: 0, 0) ns : (H||S, (), oi::0e::() 
SCE!1,SCR!1 SCE!1,SCR!1 


Fig. 5: Stateful Firewall LTS 


3 Semantic Results 


In this section we define bisimilarity of DyNetKAT policies and provide a cor- 
responding sound and ground-complete axiomatization. We start with strong 
bisimilarity because it lends itself to a neat theory. Once we establish a theory 
for strong bisimilarity, a theory for other notions of equivalence in the linear- 
time and branching-time spectrum can be obtained by adding a specific set of 
axioms following a standard recipe for each notion. We use this approach to 
reason about safety properties that are about traces. 
Bisimilarity of DyNetK AT terms is defined in the standard fashion: 


Definition 2 (Bisimilarity (~)) A symmetric relation R over DyNetKAT 
policies is a bisimulation whenever for (p,q) € R the following holds: 

If (p, Ho, Hi) > (p', Hj, Hi) then exists q' s.t. (q, Ho, H1) 2, (q', H}, Hi) and 
(pP, q) € R, with y := (0,0) | x?r | alr | refg(x,r). 

We call bisimilarity the largest bisimulation relation. Two policies p and q are 
bisimilar (p ~ q) iff there is a bisimulation relation R such that (p,q) € R. 


Semantic equivalence of NetKAT~“"? policies is preserved by DyNetK AT. 


Proposition 1 (Semantic Layering). Let p and q be NetKAT~®? policies. 
The following holds: |p] = |q] iff (p; d) ~ (¢;d) for any DyNetKAT policy d. 
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for p,q,r € DyNetKAT and z,y € NetKAT~?2¥P for at =a- r | æ?z | æ!z | refg, z: 
for a ::= z | £?z | alz|refg, z ôc(1)= L (61) 
0;p= L (AO) 5c (at;p) = at; ôc(p) if at g L (6,) 
(2+y)ip=z;pOysp (Al) Sc(at;p)= LifatEL (8+) 
pOq=aOp (A2) 5c(p ® 4) = ôc(p) @ 5c(q) (5g) 
(pP®q)®r=pOe(qGr) (A3) 
p®p=p (A4) forn eN: 
p@L=p (45) mo(p) = L (IIo) 
plla= allp (46) Tmn(L)= L (71) 
p\||L=p (A7) Tn41(at;p) = at;7n(p) (7, ) 
Plla= pla S allp © p | q (48) tn (Pp ® q) = Tn(p) ® Tn (q) (Ig) 
L||p= L (A9) 
(a; p)lLq= a;(p|| 4) (A10) p = qif Yn EN: tn(p) = tn(q) (AIP) 
(PO a)llr = (llr) @ (allr) (411) 
(x?z ; p) | (alz ; q) = rcfg, z ;(p j q) (412) Enk 
(P®q)|r=(plr)@(q|r) (413) 
plqa=a\|p (414) 
p|q= L [owise] (A15) 
Fig. 6: The axiom system Epnx (including Enx) 
Proof sketch. This follows according to ~ and (cpol’,) in Figure 4. a 


We further provide some additional ingredients needed to introduce the 
DyNetKAT axiomatisation in Figure 6. First, note that our notion of bisimilarity 
identifies synchronisation steps as in (cpolg) in Figure 4. At the axiomatisa- 
tion level, this requires introducing corresponding constants refg,, , defined as: 


refg(x,z) 
SETI, (p, Ho, Hı) 


(rcfg, z; p, Ho, Hı) 


In accordance with standard approaches to process algebra (see, e.g., [1,4]) 
we consider the restriction operator 6¢(—) with £ a set of forbidden actions 
ranging over x?z and x!z as in (1). In practice, we use the restriction opera- 
tor to force synchronous communication. We also define a projection operator 
Tn(—) that, intuitively, captures the first n steps of a DyNetKAT policy. 7,,(—) 
is crucial for defining the so-called “Approximation Induction Principle” that en- 
ables reasoning about equivalence of recursive DyNetKAT specifications. Last, 
but not least, in our axiomatisation we employ the left-merge operator (||) and 
the communication-merge operator (|) utilised for axiomatising parallel compo- 
sition. Intuitively, a process of shape p||q behaves like p as a first step, and then 
continues as the parallel composition between the remaining behaviour of p and 
q. A process of shape p | q forces the synchronous communication between p 
and q in a first step, and then continues as the parallel composition between the 
remaining behaviours of p and q. The full description of these auxiliary operators 
is provided in [7]. 
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From this point onward, we denote by DyNetKAT the extension with the 
operators dc¢(—), Tn(—) and refg,, +: 


N ::= NetKAT~9"P 

De := L| N; D |£?N ; De | x!N ; De | refg, y ;De | (2) 
De || De | De ® De | 8c (De) | ™n(De) | Dell De | DelDe | X 
X De, n EN, L={eleu=2?N | a!N} 


Bisimilarity is defined for DyNetKAT terms as in (2) in the natural fashion. 
Lemma 3 For DyNetKAT, bisimilarity is a congruence. 


Proof sketch. The result follows from the fact that the semantic rules defined 
in this paper comply to the congruence formats proposed in [15]; the notion of 
bisimilarity used in our paper coincides with the notion of stateless bisimilarity 
in [15] and hence, the lemma follows. a 

In Figure 6, we introduce Epyx — the axiom system of DyNetKAT, including 
the NetKAT axiomatisation Eng. Most of the axioms in Figure 6 comply to the 
standard axioms of parallel and communicating processes [4], where, intuitively, 
® plays the role of non-deterministic choice, ; resembles sequential composition 
and L is a process that deadlocks. An interesting axiom is (A7) : p|| L = p 
which, intuitively, states that if one network component fails, then the whole 
system continues with the behaviour of the remaining components. This is a 
departure from the approach in [11], where recovery is not possible in case of a 
component’s failure; i.e., e||0 = 0. Additionally, (A12) “pin-points” a commu- 
nication step via the newly introduced constants of form refg,,,. Axiom (A0) 
states that if the current packet is dropped as a result of the unsuccessful eval- 
uation of a NetKAT policy, then the continuation is deadlocked. (A1) enables 
mapping the non-deterministic choice at the level of NetKAT to the setting of 
DyNetKAT. 

The axioms encoding the restriction operator d¢(—) and the projection op- 
erator 7,(—) are defined in the standard fashion, on top of DyNetKAT normal 
forms later defined in this section. Intuitively, normal forms are defined induc- 
tively, as sums of complete tests and complete assignments & 7, or commu- 
nication steps #?q, x!q and refg, q, followed by arbitrary DyNetKAT policies. 
Complete tests (typically denoted by a) and complete assignments (typically 
denoted by 7) were originally introduced in [3]. In short: let F = {fi,..., fn} 


be a set of fields names with values in Vj, for i € {1,...,n}. We call complete 
test (resp., complete assignment) an expression fı = v,-...- fn = Un (resp., 
fi} vit... fn < Un), with vi € Vj, for i € {1,...,n}. Last, but not least, ax- 


iom (AIP) corresponds to the so-called “Approximation Induction Principle”, 
and it provides a mechanism for reasoning about the equivalence of recursive 
behaviours, up to a certain limit denoted by n. 

In what follows, we show that the axiom system Epyx is sound and ground- 
complete with respect to DyNetKAT bisimilarity. 
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Lemma 4 (NetKAT~4"P Normal Forms) We call a NetKAT~°"? policy q 
in normal form (n.f.) whenever q is of shape Xancan with A = {aimi | i € I}. 
Enx is normalising for Net KATT, 


Proof sketch. The result follows from Lemma 4 in [3] stating that the stan- 
dard semantics of every NetK AT expression is equal to the union of its minimal 
nonzero terms. In the context of NetKAT~@"P and packet values drawn from 
finite domains (as is the case in [3]), this union can be equivalently expressed 
as a sum of complete tests and complete assignments. I.e., F r= ijera,; - 7; for 
every NetKAT~@"P expression r. E 


Definition 5 (DyNetKAT Normal Forms) We call a DyNetKAT policy in 
normal form (n.f.) if it is of shape 


Dr(a Ti); di D XR cj; dj (8L) 


where d;,d; range over DyNetKAT policies and cj ::= x?q | x!q | refg,,, with q 
denoting terms in NetKAT~ 2%. 


Definition 6 (Guardedness) A DyNetKAT policy p is guarded if and only if 
all occurrences of all variables X in p are guarded. An occurrence of a variable 
X in a policy p is guarded if and only if (i) p has a subterm of shape p';t such 
that either p' is variable-free, or all the occurrences of variables Y in p' are 
guarded, and X occurs in t, or (ii) if p is of shape y?X;t, y!X;t or rcfgy +. 


Note that guarded DyNetKAT policies are finitely branching. In what follows, 
we assume DyNetKAT policies are guarded. 


Lemma 7 (DyNetKAT Normalisation) Epyx is normalising for DyNetKAT. 


Proof sketch. The proof follows from Lemma 4 and (A1), by structural in- 
duction. Base cases: |p = L | trivially holds; |p £ q;d | with q a NetKAT~@UP 


term holds by Lemma 4 and (A1); |p c;d] with c := x?q | aq | refg,, q 


trivially holds. Induction step, cases: |p = X | - discarded, as p is not guarded; 


p Ê pı @ p2 |; | p= pillp2k |p = my’) |; |p = pr | pol; |p = dc(p’) | and, eventu- 


ally, |p = pı || p2 |. All items before follow by the axiom system Epyx and the 


induction hypothesis, under the assumption that pı, p2 and p’ are guarded. W 


Lemma 8 (Soundness of Epynetkar\arp) Let Epynetkar\arp stand for the 
axiom system Epnx in Figure 6, without the axiom (AIP). Epynetkat\ Arp 18 
sound for DyNetKAT bisimilarity. 


Proof sketch. This is proven in a standard fashion, by case analysis on transitions 
of shape (p, Ho, Hb) Ž (q, Hi, Hi) with y := (0,0’) | x?n | a!n | refg(x,n), 
according to the semantic rules of the DyNetKAT operators in (2). Take (A0) 
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for instance. The left hand-side 0;p can only evolve according to (cpol” ) in 
Fig. 4 which, in turn, has an empty premise as [O](co :: ()) = {} for all ø. 
Thus, (cpol”.) does not entail any step for this case. Symmetrically, there is 
no semantic transition for L in Fig. 4. In other words, none of the left/right 
hand-sides of (AQ) displays any behaviour, therefore the axiom is sound. a 


Lemma 9 (Soundness of AIP) The Approx. Induction Principle (AIP) is 
sound for DyNetKAT bisimilarity. 


Proof sketch. The proof is close to the one of Theorem 2.5.8 in [4] and uses the 
branching finiteness property of guarded DyNetKAT policies. | 


Theorem 1 (Soundness & Completeness). Epyx is sound and ground- 
complete for DyNetKAT bisimilarity. 


Proof. Soundness: if Epvx F p = q then p ~ q, follows from Lemma 8 and 
Lemma 9. Completeness: if p ~ q then Epnx | p = q, is shown as follows. 
Without loss of generality, assume p and q are in n.f., according to Lemma 7. 
We want to show that p = q@p and q = p@q which, by ACI of ©& implies 
p = q. This reduces to showing that every summand of p is a summand of q 
and vice-versa. We first argue that every summand of p is a summand of q. The 
reasoning is by structural induction. 

Base case p= L holds by the hypothesis p ~ q that q = L. 


Induction step. Case p = ((a-);p') ®© p": then, (p,a =: H, H’) ee 
(p', H,o, :: H’) implies by the hypothesis p ~ q that (q, oa :: H, H”) Sere, 


(q', H,o, :: H’) and p' ~ q’. Recall that q is in n.f.; hence, by the shape of the 
semantic rules in Figure 4 it holds that q £ ((a- m); q’) @ q”. By the induction 
hypothesis, it holds that p’ = q’ hence, (a-r); p’ is a summand of q as well. Cases 
p* (cp) p” with c= z?n | zn | rcfg, n follow in a similar fashion. Hence, 
p=adq@®€p holds. The symmetric case q = p È q follows the same reasoning. 


We refer to [7] for the complete proofs and additional details. 


4 A Framework for Safety 


In this section we provide a language for specifying safety properties for networks 
characterized by DyNetKAT, together with a procedure for reasoning about 
safety in an equational fashion. Intuitively, safety properties enable specifying 
the absence of undesired network behaviours. 


Definition 10 (Safety Properties - Syntax) Let A be an alphabet over let- 
ters of shape a:n and rcfg, p, with a and m ranging over complete tests and 
assignments, and refg,, ,, ranging over reconfiguration actions. Safety properties 
are defined in the following fashion: 
actt:=a-n|refg,, (a: T, rcfg, p € A) 
regexp ::= true | act | act | regexp + regexp | regexp - regexp | 
(regexp)” (with n > 1) 
prop ::= [regexp] false 
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A safety property specification prop is satisfied whenever the behaviour en- 
coded by regexp should not be observed within the network. Regular expressions 
regexp are defined with respect to actions act: a flow of shape a -m is the ob- 
servable behaviour of a (NetKAT~@"?) policy transforming a packet encoded by 
a into a,;, whereas refg,,,, corresponds to a reconfiguration step in a network. 
Recursively, a sum of regular expressions regexp; + regexp) encodes the union 
of the two behaviours, a concatenation of regular expressions regexp, - regexp 
encodes the behaviour of regexp, followed by the behaviour of regexp. A prop- 
erty of shape [~a] false, with a € A, states that the system cannot do anything 
apart from a as a first step. The property [true|false states that no action can 
be observed in the network, whereas [r”|false encodes the repeated application 
of r for n times. 

Note that true, negated expressions ~a and repetitions r” are mere syntactic 
sugars of equivalent expressions free of these operations. Not surprisingly, “de- 
sugaring” (ds(—)) is defined as: 


ds(true) = Sacaa 
ds(7a) £ X ai cati 
Qi x a n times 
ds(r1 + r2) = ds(r1) - ds(r2) if rı - r2 not de-sugared 
ds(rı +r2) = ds(r1) + ds(r2) if rı + rg not de-sugared 
ds(r) = r [owise] 


The complete formal definition of the de-sugaring function is provided in [7]. 


Definition 11 (Safety Properties - Semantics) Let A be an alphabet over 
letters of shape a -n and rcfg(x, p), with a and m ranging over complete tests 
and assignments, and refg(x, p) ranging over reconfiguration actions. We write 
w,w for (non-empty) words with letters in A (i.e., w,w’ E€ A*) and | w | for 
the length of w. We write w < w whenever w’ is a prefix of w (including w). 

Let r be a de-sugared regular expression (regexp) as in Definition 10. We call 
head normal form (h.n.f.) of r, denoted by hnf(r), the sum of words as above 
obtained by left-/right- distributing - over + in r, in the standard fashion. Note 
that such a h.n.f. always exists for r. Let Prop stand for the set of all properties 
as in Definition 10, in h.n.f. 

The semantic map |—] : Prop > DyNetKAT associates to each safety prop- 
erty in Prop a DyNetKAT expression as follows. Let O be the DyNetKAT policy 
(in normal form) encoding all possible behaviours over A: O = XÈ- 4 (a; La; O). 
Then: 


; A pe re ic) ane ie 
[ly er wi)false] = XY c ys w;l @ ae At (u; L © W;0) (3) 
wi € A* | w|< M | w |= M 
Wiel: wikw WeT:wikw 


such that M is the length of the longest word wi, with i € I, and W is a 
DyNetKAT-compatible term obtained from w where all letters have been sep- 
arated by ; and inductively defined in the obvious way. Namely, @ £ a fora € A 
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and -W = a;W fora € A andw € A*. The semantic map [-—] is defined 
following the intuition provided earlier in this section. For instance, as shown 
in (3), if none of the sequences of steps w; can be observed in the system, then 
the associated DyNetKAT term prevents the immediate execution of all wi. 


Typically, safety analysis is reduced to reachability. In our context, a safety 
property is violated whenever the network system under analysis displays a (fi- 
nite) execution that is not in the behaviour of the property. Thus, the aforemen- 
tioned semantic map is based on traces (or words in A*) and is not sensitive 
to branching. This paves the way to reasoning about safety properties in an 
equational fashion. 


Definition 12 (Safe Network Systems) Let E}y, stand for the equational 
axioms in Figure 6, including the additional axiom that enables switching from 
the context of bisimilarity to trace equivalence of DyNetKAT policies, namely: 
pi(q@r) = p;q ® p;r. Assume a specification given as the safety formula s 
and a network system implemented as the DyNetKAT policy i. We say that the 
network is safe whenever the following holds: Ey, F [s] 8i = [s]. In words: 
checking whether i satisfies s reduces to checking whether the trace behaviour of 
i is included into that of s. 


For an example, consider the firewall in Figure 1 and the corresponding 
encoding in Figure 3. Recall that reaching int from ext without observing a 
secure connection request is a faulty behaviour. This entails the safety formula 
Sn defined as [(=rcfgsecConReq,1)” * (a: )|false, for n € N, a £ (port = ext) and 
m = (port + int). Therefore, checking whether the network is safe reduces to 
checking, for all n € N: Eni F [sn] @ Init = [sn]. Note that, for a fixed n, the 
verification procedure resembles bounded model checking [5]. 


5 Implementation 


In this section, we describe our implementation for formal reasoning about dy- 
namic networks. Our prototype tool, called DyNetiKAT (available at https: 
//github.com/hcantunc/DyNetiKAT) is based on Maude [8], the NetK AT deci- 
sion procedure [10], and Python [19] as a glue language. Our modular extension 
of NetKAT allows for reusing the NetKAT tools in our framework. In our pro- 
totype, we focus on checking reachability and waypointing in a dynamic setting. 
We build upon the methods for checking reachability and waypointing properties 
in NetKAT [3]. For a reminder, in NetKAT, reachability and waypointing prop- 
erties are characterised as follows: for reachability properties, an egress point out 
is reachable from an ingress point in, in the context of a switch policy p and 
topology t, whenever the following NetK AT equivalence holds: in-(p-t)*-out £ 0. 
For waypointing properties, an intermediate point w between in and out is con- 
sidered a waypoint from in to out if all the packets from in to out go through 
w. Such a property is satisfied if the following equivalence holds: 
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n-(p-t)* out + in: (~out: p- t)* - w- (Ain: p-t)* - out 
= in: (“out -p-t)"-w- (sin: p: t)” - out 


In order to utilise the NetK AT decision procedure for property checking we 
represent the properties given as regular expressions (as described in Section 4). 
To this end, we introduced the operators head(D), and tail(D, R), where D is 
a DyNetKAT term and R is a set of terms of shape rcfgy y. Intuitively, the 
operator head(D) returns a NetKAT policy representing the current configu- 
ration in D, and tail(D, R) returns a DyNetKAT policy which is the sum of 
policies in D that appear after the synchronisation events in R. We utilise these 
operators as follows: for a given DyNetKAT term we apply our equational rea- 
soning framework to unfold the expression and rewrite it into the normal form. 
Then, we extract the desired configurations by using the head and tail opera- 
tors. After this step, the resulting expression is a NetK AT term and we use the 
NetK AT decision procedure for checking properties. For example, consider the 
safety property [(true)” - (a - 7)]false as in Definition 10, and a network SDN. 
Note that for a given complete assignments, there exists a corresponding com- 
plete test with the same values, e.g., the corresponding complete test for the 
complete assignment fo < vo... fn < Un is fo = vo... fn = Un. Henceforth, 
we write a, to represent the corresponding complete tests of 7. The property 
[(true)” - (a - 7)]false can be encoded in the style of NetKAT as follows: 


a: head(1tn(SDN))-a,; =0 (4) 
a: head(tail(tm,(SDN), R)) -ar =0 (5) 


where R is the set of all synchronisation events in the network and 7,,(—) is the 
projection operator equationally defined in Figure 6. In our technical report [7] 
we provide the corresponding correctness specification of the stateful example 
discussed in Section 1. Note that in practice the parameter n in mẹ is a fixed value 
specified by the user. Intuitively, (4) expresses that the initial configuration of 
the network is not able to transform the packets satisfying the predicate œ such 
that they satisfy the predicate a, and (5) expresses that this transformation 
is still not possible in the configurations after any sequence of synchronisation 
events. Formally, the operators head and tail are defined as follows: 


head(L) = 0 tail(L, R) = 
head(N; D) = N + head( D) tail(N; D, R) = on R) 
head(D ® Q) = head(D) + head(Q) tail(D @ Q, R) = tail(D, R) © tail(Q, R) 
head(refgy n; D) =0 tail(refgy n; D, R) = D È tail(D, R) if refgy z € R 
tail(refgy y; D, R) = L if rcfgy y Z R 


Note that we assume the DyNetKAT terms given as input to the operators 
head and tail do not contain terms of shape x?q and x!q. This can be ensured 
by applying the restriction operator ô on the input terms. 

Observe that the safety properties of Definition 10 are designed to capture 
unsafe flows. Similarly, one can also define the syntax (regexp) true to express 
that a certain safe flow is possible and reason about it. For an example, consider 
the stateful firewall example and the property ((rcfgsecConReq,1)” > (a - ™)) true 
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Fig. 7: A FatTree Topology 


where a Ê (port = ext) and m Ê (port + int). This property expresses that the 
flow from port ext to port int is possible after the event rcfgsecConReq,1; This 
property can be encoded in the NetKAT style as a-head(tail(a, (Init), R)) -ar Æ 
0 where R = {refg .cConReq,1}- 


6 Experimental Evaluation 


In this section we evaluate the applicability of our implementation based on a 
FatTree [22] topology case. FatTrees are hierarchical topologies commonly used 
in data centers. Figure 7 illustrates a FatTree with 3 levels: core, aggregation 
and top-of-rack (ToR). The switches at each level contain a number of redundant 
links to the upper level. The groups of ToR switches and their corresponding 
aggregation switches are called pods. For our experiments, we generated 6 Fat- 
Trees that grow in size and achieve a maximum size of 1344 switches. For these 
networks we computed a shortest path forwarding policy between all pairs of 
ToR switches. The number of switches in the ToR layer is set to k?/4 where k 
is the number of pods in the network. 

We check dynamic properties on these networks and assess the time per- 
formance of our tool. We consider a scenario involving two ToR switches Ta 
and Tp that reside in different pods. Initially, all packets from Tą to T, traverse 
through a firewall A, in the aggregation layer which filters SSH packets. The 
controller then decides to shift the firewall from A, to another switch A, in the 
aggregation layer. For this purpose, the controller updates the corresponding ag- 
gregation and core layer switches resulting in 4 updates. The checked properties 
are as follows: (i) At any point while the controller is performing the updates, 
non-SSH packets from T, can always reach Tp. (ii) At any point while the con- 
troller is performing the updates, SSH packets from Tą can never reach Tp. (iii) 
After all the updates are performed, Ay’ is a waypoint between Ta and Tp. 

We conducted the experiments on an Ubuntu 20.04 LTS OS with 16 core 
2.4GHz Intel i9-9980HK processor and 64 GB RAM. The results are depicted in 
Figure 8. We report the preprocessing time, the time taken for checking proper- 
ties (i), (ii), and (iii) individually (referred to as Reachability-I, Reachability-II, 
and Waypointing, respectively), and also time taken to check all the properties 
in parallel (referred to as All Properties). The reported times are the average of 
10 runs. 
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The results indicate that preprocessing step is a non-negligible factor that 
contributes to overall time. However, preprocessing is independent of the prop- 
erty that is being checked and this procedure only needs to be done once for 
a given network. After the preprocessing step, the individual properties can be 
checked in less than 2 seconds for networks with less than 100 switches. For 
larger networks with sizes up to 931 and 1344 switches, the individual properties 
can be checked in a maximum of 5 minutes and 11 minutes, respectively. Check- 
ing for the property (iii) takes more than twice as much time as checking for 
the properties (i) and (ii). In the experiments where we check all properties in 
parallel, we allocated one thread for each property. In this setting, checking all 
properties introduced 24% overhead on average. After preprocessing, on average 
87% of the running times are spent in the NetKAT decision procedure and this 
step becomes the bottleneck in analysing larger networks. 
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Fig. 8: Results of FatTree experiments. Light-coloured areas indicate the time spent 
in the NetKAT tool and solid coloured areas indicate the time spent in our tool. 


7 Conclusions 


We develop the language DyNetKAT for modelling and reasoning about dy- 
namic reconfigurations in Software Defined Networks. Our language builds upon 
the concepts, syntax, and semantics of NetK AT and hence, provides a modular 
extension and makes it possible to reuse the theory and tools of NetKAT. We 
define a formal semantics for our language and provide a sound and ground- 
complete axiomatisation. We exploit our axiomatisation to analyse reachability 
properties of dynamic networks and show that our approach scales to networks 
with hundreds of switches. We assume that each data plane packet sees one set 
of flow tables throughout their flight in the network [17]. We plan to investigate 
small-step semantics in which the control plane updates can have a finer inter- 
leaving with in-flight packet as future work. Another natural direction for future 
work is devising compilation schemes enabling the translation of DyNetKAT 
programs into real running code. 
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Abstract. Adhesive categories provide an abstract framework for the 
algebraic approach to rewriting theory, where many general results can be 
recast and uniformly proved. However, checking that a model satisfies the 
adhesivity properties is sometimes far from immediate. In this paper we 
present a new criterion giving a sufficient condition for M, N-adhesivity, 
a generalisation of the original notion of adhesivity. We apply it to several 
existing categories, and in particular to hierarchical graphs, a formalism 
that is notoriously difficult to fit in the mould of algebraic approaches to 
rewriting and for which various alternative definitions float around. 


1 Introduction 


The introduction of adhesive categories marked a watershed moment for the alge- 
braic approaches to the rewriting of graph-like structures [16,9]. Until then, key 
results of the approaches on e.g. parallelism and confluence had to be proven over 
and over again for each different formalism at hand, despite the obvious similar- 
ity of the procedure. Differently from previous solutions to such problems, as the 
one witnessed by the butterfly lemma for graph rewriting [8, Lemma 3.9.1], the 
introduction of adhesive categories provided such a disparate set of formalisms 
with a common abstract framework where many of these general results could 
be recast and uniformly proved once and for all. 

Despite the elegance and effectiveness of the framework, proving that a given 
category satisfies the conditions for being adhesive can be a daunting task. For 
this reason, we look for simpler general criteria implying adhesivity for a class of 
categories. Similar criteria have been already provided for the core framework of 
adhesive categories; e.g., every elementary topos is adhesive [17], and a category 
is (quasi)adhesive if and only if can be suitably embedded in a topos [15,12]. This 
covers many useful categories such as sets, graphs, etc.; on the other hand, there 
are many categories of interest which are not (quasi)adhesive, such as directed 
graphs, posets, and many of their subcategories. In these cases we can try to 
prove the more general M, N-adhesivity for suitable M,N; however, so far this 
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has been achieved only by means of ad hoc arguments. To this end, one of the 
main contributions of this paper is a new criterion for M, M-adhesivity, based on 
the verification of some properties of functors connecting the category of inter- 
est to a family of suitable adhesive categories. This criterion allows us to prove 
in a uniform and systematic way some previous results about the adhesivity of 
categories built by products, exponents, and comma construction. 

Moreover, it is well-known that categorical properties are often prescriptive, 
indicating abstractly the presence of some good behaviour of the modelled sys- 
tem. Adhesivity is one such property, as it is highly sought after when it comes to 
rewriting theories. Thus, our criterion for proving M,N-adhesivity can be seen 
also as a “litmus test” for the given category. This is useful in situations that are 
not completely settled, and for which different settings have been proposed. An 
important example is that of hierarchical graphs, for which we roughly can find 
two alternative proposals: on the one hand, algebraic formalisms where the edges 
have some algebraic structures, so that the nesting is a side effect of the term 
construction; on the other hand, combinatorial approaches where the topology of 
a standard graph is enriched by some partial order, either on the nodes or on the 
edges, where the order relation indicates the presence of nesting. By applying 
our criterion, we can show that the latter approach yields indeed an M,N- 
adhesive category, confirming and overcoming the limitations of some previous 
approaches to hierarchical graphs [21,23,24], which we briefly recall next. 

The more straightforward proposal is by Palacz [24], using a poset of edges 
instead of just a set; however, the class of rules has to be restricted in order 
to apply the approach, which in any case predates the introduction of adhe- 
sive categories. Our work allows to rephrase in terms of adhesive properties and 
generalise Palacz’s proposal, dropping his constraint on rules. Another attempt 
are Mylonakis and Orejas’ graphs with layers [21], for which M-adhesivity is 
proved for a class of monomorphisms in the category of symbolic graphs; how- 
ever, nodes between edges at different layers cannot be shared. Padberg [23] 
goes for a coalgebraic presentation via a peculiar “superpower set” functor; this 
gives immediately M-adhesivity provided that this superpower set functor is 
well-behaved with respect to limits. However this approach is rather ad hoc, not 
modular and not very natural for actual modelling. 

Summarising, the main contributions of this work are: (a) a new general 
criterion for assessing M,A-adhesivity; (b) new proofs of M, N-adhesivity for 
some relevant categories, systematising previous known proofs; (c) the first proof 
that a category of hierarchical graph is M, M-adhesive. 


Synopsis. After having recalled some basic notions, in Section 2 we introduce the 
new criterion for M, N-adhesivity; using it, we show M,N-adhesivity of several 
constructions, such as products and comma categories. In Section 3 we apply 
this theory to various example categories, such as directed (acyclic) graphs, trees 
and term graphs. We show also the adhesivity of several categories obtained by 
combining adhesive ones, and in particular of the elusive category of hierarchical 
graphs. Conclusions and directions for future work are in Section 4. An extended 
version of this paper is available at [6]. 
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2 M,N-adhesivity via creation of (co)limits 


In this section we recall some definitions and results about M,N-adhesive cat- 
egories and provide a new criterion to prove this property. 


2.1 M,N-adhesive categories 


Intuitively, an adhesive category is one in which pushouts of monomorphisms 
exist and “behave more or less as they do in the category of sets” [16]. Formally, 
we require pushouts of monomorphisms to be Van Kampen colimits. 


Definition 2.1. A Van Kampen square in a category A is a pushout square 


A&B 
m) Jf 
—> D 
e g 
such that for any cube as follows, where the back faces are pullbacks, 
mA nw 
cr p| p 
Po fe 
c b 


B 
Dp- F 


the top face is a pushout if and only if the front faces are pullbacks. 
Pushout squares which enjoy the “if” of this condition are called stable. 


Given a category A we will denote by Mor(A), Mono(A), Reg(A) respectively 
the classes of morphisms, monomorphisms and regular monomorphisms of A. 


Definition 2.2. Let A be a category and A C Mor(A). Then we say that A is 


— stable under pushouts if for every pushout square as aside, f 
ifmE A thenne A; 
stable under pullbacks if for every pullback square as aside, m| jn 
ifn E€ A then mE A; C—D 


— closed under composition if g, f € A implies go f € A whenever g and f 
are composable; 

— closed under B-decomposition (where B is another subclass of Mor(A)) if 
gof €Aandg€B implies f € A; 

— closed under decomposition if it is closed under A-decomposition. 


Remark 2.1. Clearly, “decomposition” corresponds to “left cancellation”, but we 
prefer to stick to the name commonly used in literature (see e.g. [14]). 
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We are now ready to give the definition of M,N-adhesive category [14,25]. 
Definition 2.3. Let A be a category and M C Mono(A), N C Mor(A) where 


(i) M and N contain all isomorphisms and are closed under composition and 
decomposition; 
(ii) N is closed under M-decomposition; 
(iii) M and N are stable under pullbacks and pushouts. 


Then we say that A is M,N-adhesive if 


(a) every cospan C 4+ D # B with m € M can be completed to a pullback 
(such pullbacks will be called M-pullbacks ); 

(b) every span C A> B withme M andn € N can be completed to a 
pushout; such pushouts will be called M,N-pushouts; 

(c) M,N-pushouts are Van Kampen squares. 


Remark 2.2. M-adhesivity as defined in [2] coincides with M, Mor(A)-adhesivity, 
while adhesivity and quasiadhesivity [16,12] coincide with Mono(A)-adhesivity 
and Reg(A)-adhesivity, respectively. Notice that, in the M-adhesive case, sta- 
bility under pushouts of M derives from properties (a)—(c) of Definition 2.3, 
while closure under decomposition follows from stability under pullbacks in any 
category, so there is no need to prove it independently. 

Other authors have introduced weaker notions of M-adhesivity; see, e.g., 
[9,11,28], where our M-adhesive categories are called adhesive HLR categories. 


In general, proving that a given category is M,A/-adhesive by verifying the 
conditions of Definition 2.3 may be long and tedious; hence, we seek criteria 
which are sufficient for adhesivity, and simpler to prove. A prominent example 
is the following result due to Lack and Sobociński. 


Theorem 2.1 ((17], Thm. 26). Any elementary topos is an adhesive category. 


In particular the category Set of sets and any presheaf category are adhesive. 
However, there are many important categories for (graph) rewriting which are 
not toposes, hence the need for more general criteria. 


2.2 A new criterion for M,N-adhesivity 


In this section we present our main result, i.e., that M,A-adhesivity is guaran- 
teed by the existence of a family of functors with sufficiently nice properties. We 
will adapt some definitions from [1]. 


Definition 2.4. Let I : I — C be a diagram and J a set. We say that a family 
F=({Fy}jes of functors Fj : C > D; 


1. jointly preserves (co)limits of I if given a (co)limiting (co)cone (L, liier for 
I, every (F; (L), Fj (li))ier is (co)limiting for F; o I; 

2. jointly reflects (co)limits of I if a (co)cone (L,li)iex is (co)limiting for I 
whenever (F; (L), Fj())icr is (co)limiting for Fjo I for every j € J; 
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3. jointly lifts (co)limits of I if given a (co)limiting (co)cone (Lj, lji)icr for 
every Fj o I, there exists a (co)limiting (co)cone (L,li)iexr for I such that 
(Fy (LZ), Fy (li) eet = (Ly, ljiJier for every j € J; 

4. jointly creates (co)limits of I if Fj oI has a (co)limit for every j € J, I has 
a (cojlimit and F jointly preserves and reflects it. 


Remark 2.3. Joint preservation, reflection, lifting or creation of (co)limits of F = 
{F; : A > B;}je,7 is equivalent to the usual preservation, reflection, lifting or 
creation of (co)limits for the functor A > ] J ez B; induced by F. Notice that 
our notion of creation follows [22], which is more lax than, e.g., [19, Def. V.1]. 


Theorem 2.2. Let A be a category, M C Mono(A), N C Mor(A) satisfying 
conditions (i)-(iii) of Definition 2.8, and F a non empty family of functors 
F; : A > B; such that Bj is Mj, Nj-adhesive. 
1. If every F; preserves pullbacks, F;(M) C M; and Fj(N) C N; for every j € 
J, F jointly preserves M,N -pushouts, and jointly reflects pushout squares 
F;(f) 
F;j(A4) “> F;(B) 
Fj Fj 
j(m)ļ F;(g) LFi(n) 
F(C) —> F;(D) 


with m,n E€ M and f E N, then M,N-pushouts in A are stable. 
Moreover if in addition F jointly reflects M-pullbacks and N -pullbacks then 
M,N -pushouts are Van Kampen squares. 

2. If F satisfies the assumptions of the previous points and jointly creates both 
M-pullbacks and N -pullbacks, then A is M,N-adhesive. 

3. If F jointly creates all pushouts and all pullbacks, then A is Mp,NF- 
adhesive, where 


Mr := {m € Mor(A) | Fj(m) € Mį for every j € J} 

Nr := {n € Mor(A) | F;j(n) € N; for every j € J} 
Proof. (1.) Take a cube in which the bottom face is an M,N-pushout and 
all the vertical faces are pullbacks (below, left). Applying any Fj € F we get 
another cube in B; (below, right) in which the bottom face is an M,;,Nj-pushout 


(because F(m) € M; and F;(n) € N;) and the vertical faces are pullbacks, thus 
the top face of the second cube is a pushout for every j € J 


Fy(m’) _ F(A’) pn) 
ee BIC) r] FB 
Poe By) FD") TR 
| oe b Fo} F(b) 
d| _—— A.n F;(d) F; (A) F;(n) 
| m ™ Ni 2a J 
oe ae FO Be) 
xN 
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Now m’, f! € M and n’ € N since they are the pullbacks of m, f and n and 
thus we can conclude. 

Suppose now that F jointly reflects M-pullbacks and N-pullbacks, we have 
to show that the front faces of the first cube above are pullbacks if the top 
one is a pushout. In the second cube, the bottom and top face are Mj, Nj- 
pushouts and the back faces are pullbacks, then the front faces are pullbacks 
too by M,,Nj-adhesivity. Now, notice that f € M and g € N (since M and 
N are closed under pushouts) and thus we can conclude since F jointly reflects 
pullbacks along arrows in M or in N. 

(2.) Let us show properties (a), (b), (c) defining M, M-adhesivity. 


(a) Given a cospan C 4 D @ B in A with m € M we can apply F; € F to 


it and get F;(C) 2, F;(D) eum F;(B) which is a cospan in B; with 


F;(g) E€ Mj, thus, by hypothesis it has a limiting cone (Pj, pr,(3);PF,(c)) 
in Bj. Since F jointly creates M-pullbacks there exists a limiting cone 
(P,pp,pc) for the cospan C 4 D & B. 


(b) Analogously: for every span C < A“ B in A with m € M andn EN, 


we have F(C) pu. F;(A) Een F;(B) in each B; with Fj(m) € M; and 


F;(n) € Nj and thus there exists a colimiting cocone (Q;, dF, (B))UF,(c)) in 
B;. Now we can conclude because F jointly creates M,N-pushouts. 
(c) This follows at once by the second half of the previous point. 


(3.) By the previous point it is enough to show that Mp and NF satisfy condi- 
tions (i)—(iii) of Definition 2.3. 


(i) If f € Mor(A) is an isomorphism then so is F}(f) for every F; € F. Thus 
F;(f) belongs to M; and N; for every j € J, implying f is in Mp and in 
Nr. The parts regarding composition and decomposition follow immediately 
by functoriality of each F} € F. 

(ii) Suppose that go f € Np, with g E€ Mp then for every j € F Fy(go f) = 
F;(g) 0 Fy(f) € Nj and F;(g) € Mj, thus Fj(f) € Nj and so f € Np. 

(iii) Take a square 


— 
g 


and suppose that it is a pullback with n € Mp (NF), then applying any 
F; € F we get that F} (m) is the pullback of F; (n) along F; (g), since F} (n) is 
in M; (in N;), which implies that F} (m) € M; (N5). This is true for every 
j € J, from which the thesis follows. Stability under pushouts is proved 
applying the same argument to m. 


Applying the previous theorem to the families given by, respectively, pro- 
jections, evaluations and the inclusion we get immediately the following three 
corollaries (cfr. also [9, Thm. 4.15]). 
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Corollary 2.1. Let {A}jc; be a family of categories such that each A; is Mi, Ni- 
adhesive. Then the product category J Jior Ai is Jier Mi, je, Ni-adhesive, where 


[] Mi = {(maier € Mor([] Ai) | mi € M: for every i € 1} 


icI icI 
TE = {(ni)ier € Mor(] | Ai) | ni E Ni for every i € I} 
icI icI 


Corollary 2.2. Let A be an M,N -adhesive category. Then for every other cat- 
egory C, the category of functors AC is ME, N©-adhesive, where 


ME := {n € Mor(A®) | no € M for every object C of C} 

NO := {n € Mor(A®) | no EN for every object C of C} 
Corollary 2.3. Let A be a full subcategory of an M,N -adhesive category B 
and M’ C Mono(A), N’ C Mor(A) satisfying the first three conditions of Def- 


inition 2.3 such that M’ C M, N' CN and A is closed in B under pullbacks 
and M’,N'-pushouts. Then A is M’, N” -adhesive. 


2.3 Comma categories 


In this section we show how to apply Theorem 2.2 to the comma construction 
[19] in order to guarantee some adhesivity properties under suitable hypotheses. 


Definition 2.5. For any two functors L : A > C, R : B > C, the comma 
category L} R is the category in which 


— objects are triples (A, B, f) with A € A, B € B, and f : L(A) > R(B); 
— a morphism (A, B, f) > (A', B', g) is a pair (h,k) with h : A > A', k : B > 
B' such that the following diagram commutes 


L(h) 
L(A) —— L(A’) 


i {9 
RIC) Fay RC) 


We have two obvious forgetful functors 


Ur: LIRA Urn: L{|R>B 
(A.B f) = A (A,B, f) —> B 
(h,k) | Jh (h,k) | |k 
(A', Bg) A (A’, B',g9) —> B' 


Example 2.1. Graph is equivalent to the comma category made from the iden- 
tity functor on Set and the product functor sending X to X x X. 
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We have a classic result relating limits and colimits in the comma category 
with those preserved by L or R. 


Lemma 2.1. Let I : I — L} R be a diagram such that L preserves the colimit 
(if it exists) of Ur o I. Then the family {UL, Ur} jointly creates colimits of I. 


Corollary 2.4. The family {Ur, Ur} jointly creates limits along every diagram 
I:I— LR such that R preserves the limit of Ugro I. 


Proof. Apply the previous lemma to R°? | L°P which is equivalent to (Z| R)°?. 


We are now able to deduce the following result from Theorem 2.2. 


Theorem 2.3. Let A and B be respectively M, N -adhesive and M’, N' -adhesive 
categories, L : A > C a functor that preserves M,N -pushouts, and R : B —> C 
a pullback preserving one. Then L} R is M|M’',NJ|N'-adhesive, where 


MLM’ := {(h,k) € Mor(L} R) | h € M,k € M'} 
NIN := { (h,k) € Mor(LLR) | hEN, k E N'}. 


3 Some paradigmatic examples 


In this section we apply the results provided in Section 2, to some important 
categories, such as directed (acyclic) graphs, hierarchical (hyper)graphs, directed 
(acyclic) hypergraphs, and term graphs. These examples have been chosen for 
their importance in graph rewriting, and because we can recover their M,N- 
adhesivity in a uniform and systematic way. In fact, in the case of hierarchical 
(hyper)graphs we give the first proof of M, M-adhesivity, to our knowledge. 


3.1 Directed (acyclic) graphs 


Among visual formalisms, directed (also known as “simple”) graphs represent 
one of the most-used paradigms, since they adhere to the classical view of graphs 
as relations included in the cartesian product of vertices. It is also well-known 
that directed graphs are not quasiadhesive [15], not even in their acyclic variant. 
In this section we are going to exploit Corollary 2.3 to show that these categories 
of (acyclic) graphs have nevertheless adhesivity properties. 


Definition 3.1. A directed multigraph is a 4-tuple (E, V,s,t) where E and V 
are sets, called the set of edges and nodes respectively, and s,t : E — V are 
functions, called source and target. An edge e is between v and w if s(e) = v and 
t(e) = w, E(v, w) is the set of edges between v and w. A morphism (E, V,s,t) > 
(FW, s’,t') is a pair (f,g) of functions f : E > F, g: V — W such that the 
following diagrams commute 
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We will denote by Graph the category so defined. A directed graph is a directed 
multigraph in which there is at most one edge between two nodes, DGraph is 
the full subcategory of Graph given by directed graphs. 

A path [e;]?_, in a directed multigraph is a finite list of edges such that 
t(e;) = s(ei+1) for all 1 <i<n-—1.A path is called a cycle if s(e1) = t(en). A 
directed acyclic graph is a directed graph without cycles, directed acyclic graphs 
form a full subcategory DAG of DGraph and Graph. 


Remark 3.1. Graph is equivalent to the category of presheaves on è = e, the 
category with just two objects and only two parallel arrows between them (be- 
sides the identities), thus it is a topos and as such adhesive. Notice that this also 
implies that limits and colimits are computed component-wise and that an arrow 
in Graph is mono if and only if both its underlying functions are injective. 


Remark 3.2. Notice that if (f,g) : (E, V,s,t) > (F,W,s’,t’) is an arrow in 
DGraph with f injective, then g is injective too. 


We will state now two categorical properties of DGraph that will be useful 
in the following. 


Proposition 3.1. The following properties hold 


1. the inclusion functor I : DGraph — Graph has a left adjoint L : Graph > 
DGraph which sends a graph (V,E,s,t) to the graph on the same vertices 
but in which edges with the same source and target are identified; 

2. an arrow (f,g) : (E,V,s,t) > (F,W,s’,t’) of DGraph is a regular monomor- 
phism if and only if f is injective and E(v,,v2) is non empty whenever 


F(f(v1), f(v2)) #0. 


Remark 3.3. Notice that, since L does not modify the vertices part of a graph, 
Remark 3.2 implies that L preserves monomorphisms. 


Example 3.1. In [15] it is shown that DGraph is not quasiadhesive. Take the 


cube 
pa 


a 
H 


ay a2|-— 


yag 
ya 
b b 
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By the results of Proposition 3.1 the top and bottom faces are pushouts along 
regular monos and the back faces are pullbacks, but the front one is not, contra- 
dicting the Van Kampen property. The same example shows that even DAG is 
not quasiadhesive. 


Definition 3.2. A monomorphism (f,g): (E,V,s,t) > (F,W,s’,t’) in Graph 
is said to be downward closed if, for alle € F, e € f(E) whenever t'(e) € g(V) 
(in particular this implies that s'(e) € g(V) too). We denote by dclosed, dclosedg 
and dclosedg, the classes of downward closed morphisms in Graph, DGraph 
and DAG respectively. 


Remark 3.4. The functor L of Proposition 3.1 sends downward closed morphisms 
to downward closed morphisms. 


Remark 3.5. By Proposition 3.1 it is clear that any downward closed morphism 
is regular. The vice-versa does not hold: a counterexample is given by 


a 


@— 


b 


Lemma 3.1. DGraph and DAG are closed in Graph under pullbacks. More- 
over, DGraph is closed under Reg(DGraph), Mono(DGraph)-pushouts and 
DAG under dclosedga, Mono(DAG)-pushouts. 


Theorem 3.1. The category DGraph is Reg(DGraph), Mono(DGraph)- and 
Mono(DGraph), Reg(DGraph)-adhesive, while DAG is dclosedg,, Mono(DAG)- 
adhesive. 


3.2 Tree Orders 


In this section we present trees as partial orders and show that the resulting 
category is actually a topos of presheaves, hence adhesive. This fact will be 
exploited in Section 3.3 to construct a category of hierarchical graphs, where the 
hierarchy between edges is modelled by trees. 


Definition 3.3. A tree order is a partial order (E, <) such that for every e € E, 
Le is a finite set totally ordered by the restriction of <. Since le is a finite chain 
we can define the immediate predecessor function 


max(le  {e}) Je # {e} 
* {fe = {e} 


Let i°, be the inclusion E + EU {x}; then, for any k € N4, the k* predecessor 
function ik : E + EU {x} is defined by induction as follows: 


en a ip (e) € E 
‘ ip (e)=* 


ip: E> EU {x} er 
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Let f : (E,<) > (F,<) be a monotone map and f, : EU {*} > FU {x} 
be its extension sending x to x. We say that f is strict if the following diagram 
commutes 


F| ip 
ip 


We define the category Tree as the subcategory of Poset given by tree orders 
and strict morphisms. 


Example 3.2. A strict morphisms is simply a monotone function that preserves 
immediate predecessors (and thus every predecessor). For instance the function 
{0} — {0,1} sending 0 to 1 and where we endow the codomain with the order 
0 < 1, is not a strict morphism. 


Remark 3.6. Clearly i}, = ig and it holds that i% (e) = * if and only if |Je| < k. 
In this case an easy induction shows that |{i(e)| = |Le| — k. 


Remark 3.7. We have an obvious forgetful functor 


|-| : Tree > Set 
(E,<) => E 


Jal \f 


(F,<) => F 


Remark 3.8. Let (E,<) be an object of Tree and w the first infinite ordinal, 
then we can define its associated presheaf E : w°? — Set sending n to the set 


{e€ E| |les {e}| =n} 
If mn < m in w, we can define a function 
Em: Elm) Bln) em iR” (e) 
which is well defined since |e] > m — n so 
ip (e| =Hel-m+n=m+1-m+n=n+1 
Notice that if m = n, ip "(e) is the identity, while for any k < n < m we have 
len(tnm(e)) = ip “(ig (e)) = ip “FT (e) = ip" (e) = una (Ee) 
so Ê is really a presheaf on w. 


Theorem 3.2. There exists an equivalence of categories (-) : Tree > Set” 
sending (E, <) to E. 


Corollary 3.1. Tree is adhesive and the forgetful functor |—| : Tree > Set 
preserves all colimits. 
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3.3 Various kinds of hierarchical graphs 


In this section we construct several categories of hierarchical graphs combining 
sufficiently adhesive categories of preorders or graphs (modelling the hierarchy 
between the edges) and the wanted structure on the nodes. For each of them 
we can readily prove suitable adhesivity properties, leveraging the modularity 
provided by Theorem 2.2. Besides hypergraphs and interfaces, this methodology 
can be applied to other settings such as Petri nets (see [10]). 


Hierarchical graphs We can use trees to produce a category of hierarchical graphs 
[24], which, in addition, can be equipped with an interface, modelled by a func- 
tion into the set of nodes. 


Definition 3.4. The category HIGraph of hierarchical graphs with interface 
has as objects 6-tuples ((E,<),V,X,f,s,t) where (E, <) is a tree order, f is a 
function X — V and s,t are functions E + V, and as arrows triples (h, k,l) : 
((E,<),V,X, f,s,t) > ((F,<),W,Y,g,s',t') with h : (E,<) > (F,<) in Tree, 
k:V > W andl: X => Y in Set such that the following squares commute 


We can realise HIGRaph as a comma category: as L we take the functor |—| : 
Tree — Set of Remark 3.7, while as R we take the composition of cod : Set? + 
Set, sending an arrow to its codomain, with the functor Set > Set that sends 
a set X to X x X. Notice that cod preserves limits since it coincides with the 
forgetful functor idget|idset, so we can apply Theorem 2.3 to get the following. 


Theorem 3.3. HIGraph is an adhesive category. 


The next step is to move to hypergraphs, using the Kleene star (—)* : Set > 
Set (the monoid monad) instead of the product functor. This step is not trivial: 
it relies on the fact that the monoid monad preserves all connected limits (such 
monads are called cartesian), which in turn rests upon the fact that the theory 
of monoids is a strongly regular theory (see [5, Sec. 3] and [18, Ch.4] for details). 


Hierarchical hypergraphs A variation on the previous example is obtained by 
allowing an edge to be mapped to an arbitrary subset of nodes. In this way, we 
obtain a category of hypergraphs whose edges form a tree order, corresponding 
to Milner’s (pure) bigraphs [20], with possibly infinite edges®. 


Definition 3.5. The category HHGraph of hierarchical hypergraphs with in- 
terface has as objects 5-tuples ((E,<),V,X, f,e) where (E,<) is a tree order 
and f : X + V,e: E + V* two functions; arrows are triples (h,k,l) : 
((E,<),V,X,f,e) > ((F,<),W,Y,g,e') with h : (E,<) > (F,<) in Tree, 
k:V => W andl: X > Y in Set such that the following squares commute 


3 In bigraph terminology, “controls” and “edges” correspond to our edges and nodes. 
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Fig. 1. A DAG-hypergraph (left) and a DGraph-hypergraph corresponding to the 
CCS process P = a(x).b(xy).P (right). Relation between edges is depicted in red. 


Even in this case HHGraph is a comma category: on the left side we take |—| 
as before, on the right side we take the composition of cod with the Kleene star, 
so even in this case we can deduce adhesivity. 


Theorem 3.4. HHGRaph is adhesive. 


DGraph and DAG-hypergraphs We can consider more general relations be- 
tween edges, besides tree orders. An interesting case is when edges form a 
directed acyclic graph, yielding the category of DAG-hypergraphs; this corre- 
sponds to (possibly infinite) bigraphs with sharing, where an edge can have more 
than one parent, as in [27] (see also Fig. 1, left). Even more generally, we can 
consider any relation between edges, i.e., the edges form a generic directed graph 
possibly with cycles, yielding the category of DGraph-hypergraphs. These can 
be seen as “recursive bigraphs”, i.e., bigraphs which allow for cyclic dependencies 
between controls, like in recursive processes; an example is in Fig. 1 (right). 


Definition 3.6. We define the category of DGraph-hypergraphs (respectively 
DAG-hypergraphs) with interface DHGraph (DAGHGraph) as the one in 
which objects are 5-tuples ((E,T,s,t),V,X, f,e) where (E,T, s,t) is in DGraph 
(in DAG), f is a function X —> V, and e a function T + V* and as ar- 
rows triple ((hi,h2),k,l) : ((E,T,s,t),V,X,f,e) > (F,T',s8',t),W,Y,9,e) 
with (hi,h2) : (E,T,s,t) > (F,T’,s',tv’) in DAG (in DGraph), k: V > W 
andl: X + Y in Set such that the following squares commute 


e f 
T>v XV 


hol = [ee alk 


T' > W* Y —> W 
e g 


We can realise also DHGraph and DAGHGraph as comma categories: it is 
enough to take respectively the forgetful functors DGraph —> Set and DAG > 
Set on one side and again the composition of the Kleene star with cod. 
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Theorem 3.5. DHGraph is adhesive with respect to the classes 


{((hi, h2), k,l) € Mor(DHGraph) | (hi, h2) € Reg(DGraph), k,l € Mono(Set)} 
{((Ai, h2), k, l) E€ Mor((DHGraph) | (h1, h2) € Mono(DGraph)} 


while DAGHGraph is adhesive with respect to the classes 


{((hi, h2), k,l) € Mor(DAGHGraph) | (h1, h2) € dclosedaa, k,l € Mono(Set)} 
{((h1, h2), k,l) € Mor(DHGraph) | (Ai, h2) € Mono(DAG)} 


3.4 Term graphs 


The use of term graphs has been advocated as a tool for the optimal implemen- 
tation of terms, with the intuition that the graphical counterpart of trees can 
allow for the sharing of sub-terms [26]. A brute force proof of quasiadhesivity 
of the category of terms graphs was given in [7]. In this section we recover that 
result by exploiting our new criterion for adhesivity. 


Definition 3.7. Let X = (O,ar) be an algebraic signature (O is a set and ar : 
O +N a function called arity function). A term graph over X is a triple (V,1, s) 
where V is a set, l: V — O, s: V — V* are partial functions such that 


— dom(l) = dom(s); 
— for each v € dom(l), ar(l(v)) = length(s(a)), where length : V* > N asso- 
ciates to each word its length. 


Elements of V are called nodes, a node v not in dom(l) is called empty. A 
morphism (V,l,s) + (W,t,r) is a function f: V > W such that 


for every v € dom(l). We will denote by TG» the category of term graphs over X 
and their morphisms. We will use U to denote the forgetful functor TG 5 — Set 
sending a term graph to the set of its nodes and that is the identity on arrows. 


Definition 3.8. We define a functor A: Set > TG» putting 


Xr (X, €1, €2) 


al Jf 


Y — (Y, e1,€3) 
where the domains of the structural functions e1,e2 of A(X) are the empty set. 


Lemma 3.2. The following properties hold 


1. AAU; 
2. TGs has equalizers and binary products. 
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Remark 3.9. Right adjoints preserves monomorphisms, so, by the first point of 
Lemma 3.2, if f : (V,l,s) => (W,t,r) is a monomorphism then its underlying 
function is injective. On the other hand U is faithful and thus reflects monomor- 
phisms, i.e. also the other implication holds. 


Remark 3.10. TGs in general does not have terminal objects. Since U preserves 
limits, if a terminal object exists it must have the singleton as set of nodes. Now 
take as signature the one given by two operations {a, b} both of arity 0, then we 
have three term graphs with only one node v: A({v}), ({v},l,s) and ({v},t, s) 
where I(v) = a, t(v) = b and s sends v to the empty word. Clearly there are no 
morphisms between the last two and from the last two to the first one, and thus 
neither of them can be terminal. 


Remark 3.11. TG» is not an adhesive category. In particular it does not have 
pushouts along all monomorphisms. Take the signature of the previous remark, 
then we can use the identity {v} > {v} to form a span 


({v},2,8) + A({o}) Š ({v}, t, 8). 


This span cannot be completed to commutative a square: if 


A({v}) => ({v},t, 8) 
il J9 


v}, l, s p, r 
(ERD ) 


is commutative then f(v) = g(v); therefore 


and this is absurd. 


Remark 3.12. It is worth to spell out the explicit construction of equalizers in 
TGs. Given two arrows f,g: (V,l,s) > (W,t,r), let 


E={veV | fw) =9(v)} 


be the equalizer of U(f) and U/(g) in Set. We have a partial function p : E — O 
given by the restriction of | to E. Moreover, if v € E N dom(s) then 


F*(s(v)) = r(F(e)) = r(g(v)) = 9" (so) 


hence s(v) € E* (which is the equalizer of f* and g*, see [5]), thus we can restrict 
s to q: E — E*. In this way we get a term graph (E, p,q) with an arrow into 
(V,1,5) which clearly equalize f and g. 

On the other hand, if k : (U,a,b) > (V,1,s) is such that 


gok=fok 


then the induced function k : U > E is a morphism of TG». 
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Remark 3.18. Lemma 3.2 implies that TGy has pullbacks. In the following we 
will need their explicit description. The pullback of a cospan 


(V,1,8) & (W,t,r) & (U, a,b) 
is given by (P, p,q) where 
P = {(v,u) € V x U | f(u) = g(v)} 
is the pullback of f along g in Set and 


I(v) v € dom(l), w € dom(t) 


p:P-O (v,u) => 
undefined otherwise 


ar(l(v 
PoP wue {Mord vedom), w e dom(t) 
, undefined otherwise 


where, given x € X*, x; denotes its it” letter and, given £1,...,£n € X, [z:;] 21 
denotes the element in X* such that ([x;]?_,); is exactly z;. 


Now, notice that q is the unique partial function P — P* that makes the 
projections arrows of TGs. Moreover even p has a uniqueness property: it is 
the unique partial function P — O such that the projections are arrows of TG 5 
and p(x) is undefined if and only if at least one of its image is undefined. In 
particular this implies the following result. 


Proposition 3.2. U creates pullbacks along arrows which preserves empty nodes. 


This is especially useful when paired with the following result from [7]. 


Proposition 3.3 ([7], Prop. 4.3). An arrow f : (V,l,s) > (W,t,r) in TGs 
is a regular mono if and only if f is injective and preserves empty nodes. 


Proof. (=) Follows by the construction of equalizers given in Remark 3.12. 
(<) Consider (U, a,b) where U = WU(W\ f(V)). Let 71 and iz be the inclusions 
of W and W ~ f(V) into U, we can define 


t(w) u = 11(w), w E€ dom(t) 
a:U—-O ur> 4 t(w) u = i2(w),w € (W x f(V)) N dom(t) 
undefined otherwise 


while for b : U — U*, we put b(u) = r(w) if u = ii(w),w € dom(r), while if 
u = i2(w) with w € dom(r) we define b(u) = [usa 


il;-1. ’ Where 


a fee r(w) EWĘ FV) 
t \ialrw) rw) € f(V) 
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We have two functions (V,t,r) — (U,a,b): one is just i1, while the other one is 
given by 


iu(w) we f(V) 
ig(w) we fV) 
Now, 71 o f and go f both send v to i1(f(v)), therefore 


g:W >U v» f 


yof=gof 


Suppose that h : (P,p,q) + (W,t,r) equalizes ių and g, thus h(x) € f(V) for 
every x € P, and we have a unique function h’ : P + V such that f oh’ =h. 
For every x € dom(p), t(h(x)) = p(x), thus h(x) = f(h’(x)) € dom(t). Since f 
preserves the empty nodes, h'(x) belongs to dom(l), so: 


p(z) = t(h(a)) = t(f(h'(@))) = L(K (2)) 


Preservation of successors follows at once, while uniqueness follows from the 
uniqueness of the function h’ in Set. 


Lemma 3.3. U preserves and lifts pushouts along regular monomorphisms, more- 
over it reflects all pushout squares 


U(P, p,q) MD) TA 


U(m) | Ju) 
U(g 
U(V,l,s) ——> U (U, a,b) 
in which n is regular. In addition Reg(TG s») is closed under pushouts. 


We can now use the first point of Theorem 2.2 to get half of the following result. 


Theorem 3.6 ([7, Thm. 4.2]). The category TG x is quasi-adhesive. 


Proof. We already know by Lemmas 3.2 and 3.3 and Theorem 2.2 that pushouts 
along regular monos are stable. So, let us take a cube 


/ (V,U, s) / 


m n 
a ~ 
(T',c,d') P (W, t, r’) 
9 (u'a, w) a 
c b 
d e Mia) y 
ee 
(T, c, d) (W,t,r) 
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in which m is regular, the top and bottom faces are pushouts and the back faces 
pullbacks. Applying U we get another cube 


with pushouts along monos as top and bottom faces and pullbacks as ver- 
tical ones. By Proposition 3.2 U creates pullbacks along regular monos and 
f € Reg(TGs), then we can conclude that the front right face of the start- 
ing cube is a pullback as well. We have to show that the front left face of the 
starting cube is a pullback too. Suppose it is not, then, by the explicit description 
of pullbacks, there must be a node t € T’ which is empty in (T’,c’,d’) and such 
that g'(t) and c(t) are non empty. By the computation of pushouts along regu- 
lar monos we can deduce that g'(t) € dom(a’) implies the existence of v € V’, 
necessarily empty, such that m’(v) = t and f’(n'(v)) = g'(t), thus n’(v) is non 
empty since f’ is regular. Moreover, c(m’(v)) = m(a(v)) and the left hand side 
is non empty, therefore even a(v) is non empty by the regularity of m, but this 
contradicts the hypothesis that the back right face is a pullback. 


4 Conclusions 


In this paper we have introduced a new criterion for M,N-adhesivity, based 
on the verification of some properties of functors connecting the category of in- 
terest to a family of suitably adhesive categories. This criterion can be seen as 
a distilled abstraction of many ad hoc proofs of adhesivity found in literature. 
This criterion allows us to prove in a uniform and systematic way some pre- 
vious results about the adhesivity of categories built by products, exponents, 
and comma construction. We have applied the criterion to several significant ex- 
amples, such as term graphs and directed (acyclic) graphs; moreover, using the 
modularity of our approach, we have readily proved suitable adhesivity proper- 
ties to categories constructed by combining simpler ones. In particular, we have 
been able to tackle the adhesivity problem for several categories of hierarchical 
(hyper)graphs, including Milner’s bigraphs, bigraphs with sharing, and a new 
version of bigraphs with recursion. 

As future work, we plan to analyse other categories of graph-like objects using 
our criterion; an interesting case is that of directed bigraphs [13,3,4]. Moreover, it 
is worth to verify whether the M, M-adhesivity that we obtain from the results 
of this paper is suited for modelling specific rewriting systems, e.g. based on the 
DPO approach. As an example, TG» is quasiadhesive but this does not suffice 
in most applications, because the rules are often spans of monomorphisms, and 
not of regular monos [7]. 
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Abstract. We give a new quantifier elimination procedure for Pres- 
burger arithmetic extended with a unary counting quantifier I7 y ® that 
binds to the variable x the number of different y satisfying @. While our 
procedure runs in non-elementary time in general, we show that it yields 
nearly optimal elementary complexity results for expressive counting ex- 
tensions of Presburger arithmetic, such as the threshold counting quanti- 
fier J=°y ® that requires that the number of different y satisfying & be at 
least c € N, where c can succinctly be defined by a Presburger formula. 
Our results are cast in terms of what we call the monadically-guarded 
fragment of Presburger arithmetic with unary counting quantifiers, for 
which we develop a 2EXPSPACE decision procedure. 


1 Introduction 


Counting the number of solutions to an equation, or the number of elements in 
a set subject to constraints, is a fundamental and often computationally chal- 
lenging problem studied in logic, mathematics and computer science. In discrete 
geometry, counting the number of integral points in a polyhedron is a canonical 
##P-complete problem. Barvinok’s celebrated algorithm solves this problem in 
polynomial time when the dimension is fixed [2]. In this paper, we investigate 
a generalization of this problem and study algorithmic aspects of counting the 
number of models of formulae of Presburger arithmetic, the first-order theory of 
the integers with addition and order, and more generally, extensions of this logic 
with counting quantifiers. 

Counting quantifiers such as the Härtig quantifier, which allows to assert 
equal-cardinality constraints on the sets of satisfying assignments of two given 
first-order formulae, have long been studied in first-order logic [6]. In first-order 
theories of integer arithmetic, it is compelling to consider variants of counting 
quantifiers that bind the number of satisfying assignments of a formula to a 
first-order variable. Apelt [1] and Schweikardt [10] studied the decidability of 
Presburger arithmetic enriched with the unary counting quantifier 4-*y with 
the following semantics: given an assignment of integers to the first-order vari- 
ables x, 21,...,2n, a formula 4-*y (x,y, 21,..., Zn) evaluates to true whenever 
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the number of different y satisfying ®(x, y, z1,...,2n) is exactly x. In both [1] 
and [10], decidability is shown by developing a quantifier elimination procedure 
for this extension of Presburger arithmetic which eliminates a counting quantifier 
by translating it into an equivalent quantified formula of Presburger arithmetic, 
i.e., one that only uses standard first-order quantifiers. This immediately gives 
decidability of Presburger arithmetic extended with the unary counting quanti- 
fier J=*y since Presburger arithmetic is decidable in 2EXPSPACE [9,3,12]. Un- 
fortunately, the quantifier elimination procedures in [1,10] do not yield a similar 
elementary upper bound for the extended theory, as the elimination of a single 
quantifier I-*y results in an exponential blow-up of the formula size and intro- 
duces nested first-order quantifiers. It is a widely open problem whether there 
is a decision procedure for Presburger arithmetic extended with the counting 
quantifier J-*y with elementary running time, or whether this theory admits a 
significantly stronger lower bound than standard Presburger arithmetic. 

To shed more light on the complexity of Presburger arithmetic extended 
with the aforementioned unary counting quantifier, Habermehl and Kuske gave 
a quantifier elimination procedure for Presburger arithmetic extended with a 
unary modulo counting quantifier Jy, where r and q are positive natural 
numbers [4]. Here, Sy U(y, 21,...,2n) holds whenever the number of different 
y satisfying U(y, 21,..., Zn) is congruent to r modulo q. An analysis of the growth 
of the constants and coefficients occurring in their procedure then enables them 
to derive a 2EXPSPACE upper bound for the logic, matching the complexity of 
Presburger arithmetic on deterministic machines. This noteworthy result shows 
that there is still room to extend Presburger arithmetic with non-trivial counting 
quantifiers without increasing the computational cost of deciding the logic. 

Note that in order to keep the logic decidable, the counting quantifiers con- 
sidered in the literature must be unary. Indeed, consider a binary counting quan- 
tifier I3” (y1, y2) counting the number of different yı and ye satisfying a formula. 
Then, (x, z) = I= (y1, yo)(0 < y1, y2 < z) holds for x = z?, which in turn al- 
lows defining multiplication, leading to undecidability of the resulting theory. 


Our contribution. Following the lines of [4] while trying to avoid the limitations 
of the procedures in [1,10], our goal is to study decision procedures for Presburger 
arithmetic enriched with variants of counting quantifiers that do not increase 
the complexity of the Presburger arithmetic. To begin with, we develop a new 
quantifier elimination procedure for Presburger arithmetic with unary counting 
quantifiers J-*y that, in contrast to [1,10], does not require the introduction 
of first-order quantifiers. While the procedure still runs in non-elementary time, 
avoiding first-order quantification allows us not only to derive exponentially 
better bounds on the size of the formula obtained after eliminating a single 4-*y, 
but also to identify the sources of non-elementary growth. We exploit those 
observations to extend the range of counting quantifiers that can be added to 
Presburger arithmetic without increasing the complexity of the resulting logic. 
The first type of counting quantifiers we consider is a threshold counting quan- 
tifier J2°y for some integer c. A formula 37°y Y (y, 21,...,2n) evaluates to true 
whenever there are at least c different values of y satisfying U(y, 21,..., Zn). We 
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show that Presburger arithmetic enriched with threshold counting quantifiers can 
be decided in 2EXPSPACE, even when the threshold c itself is succinctly given as 
the unique solution of a Presburger arithmetic formula. This is surprising since in 
Presburger arithmetic one can define numbers that are triply exponential in the 
size of the formula used to encode them [7, pp. 151-152]. Furthermore, we show 
that if we restrict c to be at most doubly exponential in the size of its encod- 
ing then Presburger arithmetic with threshold counting quantifiers is decidable 


nO) 
in STA (x, 2? ,O(n)), matching the complexity of Presburger arithmetic [3]. 
Here, STA (s(n), t(n), a(n)) is the class of all decision problems in which inputs 
of length n can be decided by an alternating Turing machine in space s(n) and 


time t(n) using a(n) alternations, where “x” stands for unbounded availability 
of a certain resource. 


Our results on the quantifier J7°x arise from studying a more general exten- 
sion of Presburger arithmetic that relies on the notion of monadic decomposition 
put forward by Veanes et al. in [11] and studied by Hague et al. [5] in the con- 
text of integer linear arithmetic. Briefly, a formula ®(2,y1,...,Yn) is said to 
be monadically decomposable on the variable x whenever it is equivalent to a 
formula of the form V,ez Ai(x) A Vi(yi,---, Yn), i.e., a formula where the satis- 
faction of constraints on x does not depend on the values of y1,..., Yn. Based on 
this definition, we extend Presburger arithmetic by allowing the general unary 
counting quantifiers 4-*y to appear with guards of the form Ja2(W A 4-*y®), 
where W is monadically decomposable on the variable x. The resulting logic 
is very powerful, as it not only generalizes the quantifiers J7°x but also the 
modulo counting quantifiers Iy from [4]. We establish two further results 
for this monadically-guarded fragment of Presburger arithmetic with counting 
quantifiers. First, we develop a 3EXPTIME quantifier elimination procedure for 
the logic, matching the complexity of the best possible quantifier elimination 
procedures for Presburger arithmetic. Second, we exploit this procedure to ob- 
tain a quantifier relativization argument showing that the logic is decidable 
in 2EXPSPACE. 


2 Presburger arithmetic with counting quantifiers 


General notation. The symbols Z, N and N+ denote the set of integers, natural 
numbers including zero, and natural numbers without zero, respectively. We 
usually use a,b,c,... for integers, which we assume being encoded in binary. 
Given n € N, we write [n] = {0,...,n — 1}, and #A for the cardinality of a 
set A. If A is infinite, then #A = ov, and we postulate n < oo for all n € Z. 


Structure. We consider the structure Z = (Z, (c)cez, +, <, (=q)gen,) of Pres- 
burger arithmetic, where (c)-ez are constant symbols that shall be interpreted 
as their homographic integer numbers, the binary function symbol + is inter- 
preted as addition on Z, the binary relation < is interpreted as “less than”, and 
=, is interpreted as the modulo relation, i.e., a =, b if and only if q divides a—b. 
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Basic syntax. Let X = {x,y,z,...} be a countable set of first-order variables. 
Linear terms, usually denoted by t, tı, t2, etc., are expressions of the form 
a,x, +--+ + aga + c where z1,..., £4 E X, a,...,a¢a,c E Z. The integer a; 
is the coefficient of the variable x;. Variables not appearing in the linear term 
are tacitly assumed to have a 0 coefficient. A term t is said to be x-free if the 
coefficient of the variable x in t is 0. The integer c is the constant of the linear 
term. Linear terms with constant 0 are said to be homogeneous. 

Given a term t, the lexeme t < 0 is understood as a linear inequality, and 
t =q 0 is a modulo constraint. Syntactically, Presburger arithmetic (PA) is the 
closure of linear inequalities and modulo constraints under the Boolean connec- 
tives A and ~ (i.e., conjunction and negation, respectively) and the first-order 
quantifier Jy. Presburger arithmetic with counting quantifiers (PAC) extends PA 
with the (unary) counting quantifier J-*y, where x and y are two syntactically 
distinct variables from X. Formulae of PAC are denoted by ®, Y, I’, etc. 

We write vars(®) and fv(®) for the set of variables and free variables of ®, re- 
spectively, with fv(3=®y $) = {a}U(fv(®) \ {y}). A sentence is a formula ® with 
fv(®) = Ø. We sometimes write ®(x1,..., £k) or (x), with x = (z1,..., £k) a 
tuple of variables, for a formula ® with fv(®) = {z1,..., £k}. We say that ® is 
z-free if z E€ X does not occur in ®. Given terms t and t’, ®[t’ /t] stands for the for- 
mula obtained from ® by syntactically replacing every occurrence of t by t’. Given 
(z1,..., £k) and terms t,...,t,, O(t1,...,t,) stands for ®[t;/a 1]... [tk/£k]. 


Semantics. An assignment is a function v: X —> Z assigning an integer value to 
every variable. As usual, we extend v in the standard way to a function that maps 
every term to an element of Z. For instance, v(x+3x+2) = v(x)+3v(y)+2. Given 
a variable x and an integer n, we write v[n/2] for the assignment obtained form v 
by updating the value of z to n, i.e. v[n/a](a) = n, and for all variables y distinct 
from x, v[n/x](y) = v(y). Given a formula ® of PAC and an assignment v, the 
satisfaction relation v |= ©® is defined as usual for linear inequalities, modulo 
constraints, Boolean connectives and the existential quantifier ranging over Z. 
For the counting quantifier, we define 


v = 3-*y ð if and only if #{n € Z| v[n/y] = 8} = v(x). 


Informally, 4-“y ® is satisfied by v if there are exactly v(x) distinct values for 
the variable y that make ® true. A formula ® of PAC is satisfiable (resp. valid) 
if v H ©® holds for an assignment (resp. every assignment) v. A formula ® 
entails a formula Y, written ® = Y, whenever every assignment satisfying ® also 
satisfies UV. We write 6 = Y to denote that ® and W are equivalent, i.e. ® = Y 
and Y = ®. 


Syntactic abbreviations. We define | “= 0 < 0 and T ~L. The Boolean con- 
nectives V, > and + and the universal first-order quantifier V are derived as 
usual, and so are the (in)equalities <, <, =, >, and >, between terms. For in- 
stance, tı < tg corresponds to tı — t2 < 0, where we tacitly manipulate tı — t2 
with standard operations of linear arithmetic to obtain an equivalent term. Sim- 
ilarly, tı =, t2 is short for tı — tg =q 0, whereas |t;| + t2 < 0 is short for 
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(tı <0 > t2—tı < 0)A (tı > 0 > tı +t2 < 0). For a variable x € X and r € [q], 
we call x =, r a simple modulo constraint. All modulo constraints introduced 
by our quantifier elimination procedure given in Section 3 are simple. 


The counting quantifier J2*y. Historically [1,10], the quantifier J-*y has been 
the unary counting quantifier of choice when it comes to PAC. However, a priori 
one could define PAC as the extension of PA featuring counting quantifiers J=“y, 
where v = 4**y® holds for an assignment v whenever there are at least v(x) 
values n € Z for y such that v[n/y] H| ®. Notice that the counting quantifier 35” 
can be expressed using IZ”, and vice versa: 

=y s Pryda Je! se! =x +1 A752" yO; and 
22yh = (Vzdy: |z| < |y] AS) VIr’ : x! > eA yd. 

Two comments are in order: first, translating a PAC formula by swapping the 
type of counting quantifiers using the equivalences above has the unpleasant ef- 
fect of increasing the size of the formula, exponentially if the nesting depth of 
quantifiers is unbounded. Second, the subformula Yz Jy : |z| < |y| A ® used in 
the last equivalence states that there are infinitely many values for y that make 
the formula ® true. This formula highlights the main difference between 3-*y 
and J2*y quantifiers: the latter is true in the presence of infinitely many val- 
ues for y, whereas the former is false. Throughout the paper, we focus on the 
quantifier 4=*y, as done in [1,10], but use this observation to argue that our 
results can be readily adapted to the counting quantifier J2*y. Full details of 
this adaptation are given in the full version of the paper. 


Parameters of formulae. To analyze quantifier-elimination procedures, follow- 
ing [8,12], we introduce a number of parameters for formulae of PAC: 


— |®| denotes the length of the formula ®, i.e., the number of symbols to write 
down y, with numbers encoded in binary. We always assume |®| > 2; 

— qr(®) (resp. nr(®)) denotes the quantifier (resp. negation) rank of the for- 
mula ®, i.e., the depth of nesting of the quantifiers (resp. negations) of ®; 

— fd(®) denotes the overall depth of ®, i.e., the depth of nesting of all con- 
structors (ie. A, =, da and 4=*y) in the formula 9; 

— lin(®) is the set containing the term 0 plus all the terms ¢ that appear in 
linear inequalities t < 0 of ® (recall that tı < te is short for tı — tə < 0); 

— hom(®) is the set of homogeneous linear terms obtained from all terms in 
lin(®) by setting their constants to 0; 

— const(®) is the set of all constants appearing in linear terms of lin(®); and 

— mod(®) is the set of all moduli q € N appearing in modulo constraints 
tı =q t2 of ®. We postulate 1 € mod(®), even if & has no modulo constraints. 


Given a vector v = (v1,...,va) € Zf, we write ||v|| = max{|v;| : 1 < i < d} 
for the infinity norm of v. Similarly, for a linear term t, we write ||t|| for the 
maximum absolute value of a coefficient or constant appearing in t. Given a 
finite set of vectors or a finite set of terms A, we define || Al] = max{|lal| : a € A}. 
Given a matrix A € Z”™%, its infinity norm is the maximal infinity norm of its 
column vectors. Notice that ||lin(®)|| = |]hom(®) U const(®)||. For a formula ®, 
we define ||®|| = ||lin(®) U mod(®)|). 
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Complexity remarks. The proposition below characterizes the complexity of PA. 
nO) 
Proposition 1 ([3]). Presburger arithmetic is STA(x, 2? ,O(n))-complete. 


To be more precise, the number of alternations required to decide the validity 
or satisfiability of a formula © from Presburger arithmetic is linear in nr(®). 


no) 
Notice that 2NEXPTIME C STA (x, 2? ,O(n)) C 2EXPSPACE. 


3 A quantifier elimination procedure for PAC 


In this section, we develop a new quantifier elimination procedure (QE proce- 
dure) for the counting quantifier 4=*y: 


Proposition 2. Let ® be quantifier-free. Then J-*y ® is equivalent to a Boolean 
combination of linear inequalities and simple modulo constraints. 


We quantify the growth of parameters in the formula in Section 4. Upper 
bounds on this growth are at the core of our results. Without any bounds (as 
stated), Proposition 2 is known and can be obtained by chaining the quantifier 
elimination procedure developed by Schweikardt [10] together with the standard 
quantifier elimination procedure for Presburger arithmetic. An advantage of our 
QE procedure for the quantifier J~”y is that it avoids the introduction of ad- 
ditional J- and V-quantifiers when eliminating a counting quantifier on which 
Schweikardt’s procedure relies. More precisely, given a formula 4-*y ® where ® 
is quantifier-free (q.f. in short), the QE procedure in [10] requires a full transfor- 
mation of ® into disjunctive normal form, and eliminates the quantifier 4-”y by 
introducing first-order quantifiers, producing an equivalent formula Y of Pres- 
burger arithmetic. This strategy comes at a cost: the size of the q.f. formula 
obtained after removing the quantifiers from W is doubly exponential in the 
size of 4-*y ®. By avoiding the introduction of first-order quantifiers, our QE 
procedure already exponentially improves upon Schweikardt’s procedure. 

Our QE procedure performs a series of formula manipulations, divided into 
five steps. At the end of the i-th step, the procedure produces a formula ®; equiv- 
alent to the original formula 4-*y ®. Ultimately, P5 is a Boolean combination 
of inequalities and simple modulo constraints allowing us to establish Proposi- 
tion 2. In this section, we present the procedure and briefly discuss its correctness, 
leaving the computational analysis of parameters lin(®;), hom(®5), const(®5) 
and mod(®5) to subsequent sections. 


Step I: Normalise the coefficients of y. Given the input formula ®y = Iy ®, 
with ® q.f., the first step of the procedure is a standard step for QE procedures 
for Presburger arithmetic. It produces an equivalent formula ®; in which all non- 
zero coefficients of y appearing in a linear term are normalized to 1 or —1. For 
simplicity, we first translate every modulo constraint in ® into simple modulo 
constraints, by relying on the lemma below. 


O 0 N D 1 
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Lemma 1. Every constraint t =, 0 is equivalent to a Boolean combination Y of 
simple modulo constraints such that vars(Y) C vars(t =4 0) and mod(Y) = {q}. 


The first step of our QE procedure is as follows: 


Translate every modulo constraint in ® into simple modulo constraints (Lemma 1). 
Let k be the lcm of the absolute values of all coefficients of y appearing in hom(®). 
Let ®’ be the formula obtained from ® by applying the following three rewrite rules 
to each linear inequality and simple modulo constraint in which y appears: 

e ayt+t<0 — ky+(k/a)-t <0, ifa>0, 

e aytt<0 — —ky—(k/a)-t<0, ifa<0, and 

O y= iP > ky =k kr, 

where t is a term, q > 1 and r € [q]: 
Define ®; “& 4-*y (y =p 0A ©’ [y/ky)). 


Claim 1. Po & ®1, and in ®j, all non-zero coefficients of y are either 1 or —1. 


Step II: Subdivide the formula according to term orderings and residue classes. 
We define an ordering for a set of linear terms T to be a formula of the form 


(ti <1 t2) A (t2 <2 t3) AA (tn—1 <n—1 tn), (1) 
where {t1,... tn} =T and {<1,..., In-1} C {<, =}. 
Lemma 2. There is an algorithm that, given a set T ofn linear terms over d vari- 
ables, computes in time nC log ro a set {01,..., Oo} of orderings for T 
s.t. (1) o = O(n4), (2) T & Vi 0i, (3) L 4 O; AO; whenever i £ j. 
Lemma 2 is proven analogously to [13, Proposition 5.1]. 
The second step of our QE procedure is as follows: 


Let T be the set of all y-free terms t such that t, y — t or —y +t belongs to lin(®1). 
Using Lemma 2, build a set {O1,...,O.} of orderings for the terms T. 

Let Z & vars(®) and m & Iem(mod(})). 

For every i € [1,0] and every r: Z > [m], let Ti, % O; A Ween 2 Em A): 

Define @2 © Vi Ve: zm] Fir A ©1)- 


i) 


Claim 2. ®; & ®o. 


In Steps III to V of the procedure, we focus on each disjunct of ®2 sepa- 
rately, iterating over all i € [1,0], hence over all orderings, and all r: Z > [m], 
i.e., functions assigning residue classes modulo m to the variables in Z. 

Step III: Split the range of y into segments. Recall that ®; = 4-*y WV, where 
W is some Boolean combination of inequalities and modulo constraints with 
variables from vars(®) in which the non-zero coefficients of y are either 1 or —1. 


Let Tlo, = (t4,:+- ,t) be the tuple of all the terms in T that the formula O; 
asserts pairwise non-equal, taken in the ascending order. In other words, we 
obtain t{,...,t) by removing from the sequence t1,...,tn in Equation (1) all 


terms t;41 for which <; is =. Let seg(y,O;) be the set of formulae 
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11 
12 
13 
14 
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{y<t, y=t Ea <y^Ay< t), y=t, tp<y 2 ic g} 
We have #seg(y, Oi) = 2l + 1. Given « € seg(y, Oi), the formula O; ^ « imparts 
a linear ordering on the terms T U {y}. This enables us to “almost evaluate” WU: 


Lemma 3. For every x € seg(y,O;), there is a Boolean combination YÈ” of 
simple modulo constraints such that vars(W%") = {y}, mod(W2") C mod(W) and 


ARAL S Tirana yi". 
Our QE procedure manipulates ®ə as follows: 


For every i € [1,0] and every r: Z > [m] : 
Let seg(y, Oi) = {Ko,..., Kae}. 
For every j € [0, 2¢], consider the formula Wy; from Lemma 3. 
Tet Oe — anges Ira — DA ig IN Na IAEA Wi"). 
Define 3 = V? V,. Zaim] Pir A a$"). 


i=l 


Claim 3. P2 & 3. 


Step IV: Compute the number of solutions for each segment. We next aim at 
eliminating the counting quantifiers introduced in Step III in the sub-formulae 
J52 yl AW”). We go over each & € seg(y, O;), and consider three cases depend- 
ing on whether it specifies (syntactically) an infinite interval, a finite segment, 
or a single value for y. 

Notice that r is in fact an assignment to variables, so r(t) € Z is well-defined 
for every term t with free variables Z. For all i € [1,0] and r: Z > [m], given 
Tlo, = (t,...,t)) the procedure computes the following numbers cj,...,ce, 
p2,---,pe and rg,...,1¢. 


For every j € [1,4] : 
If U2" [r(t5)/y] is true, where x = (y = t4), then let cj = 1, else let c; = 0. 
For every j € [2,4] : 
Let p; € [0, m] be the number of y € [m] satisfying Y4” (y). 
Let u; = (r(tj—ı1) mod m). 
Let ū; be the smallest integer congruent to r(t}) modulo m and greater than uj- 
Let rj € [0, m] be the number of y € [u; + 1,ū; — 1] satisfying Yi” (y). 


Let rj € >m’, m?] be such that rj = —p, - (Tj — u;) +m: r}. 


Lemma 4. Given a formula Yg” and m,u;,Uj, the numbers pj and ri can be 


computed in #P, or by a deterministic algorithm with running time O(m- |Y}"]). 


The numbers cj, pj, 7; determine, for each « € seg(y,O;), how many assign- 
ments to the variable y satisfy the formula W%:" in the conjunction L; r AKA WY". 
Intuitively, this is cj for « of the form y = t}, and (p;(t} —t_1) +1rj)/m for x of 
the form t;_, <y ^y < tj. We say “intuitively” here, because in the latter case 
the expression above depends on other variables so is not, strictly speaking, a 
number. The following claims formalize this intuition: 
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Claim 4. Let K € {y < th, th < y}. If YÈ” (y) is satisfiable, then 3" © L. 
Claim 5. Let j € [1,4], «= (y = t}), z € X. Then, 3-*y (K A UR") S z=). 


Claim 6. Let k = (tj_1 < y Ay < #5) for some j € [2,4] and let z be a fresh 
variable. Then, Tir AS-*y (K A YR") & Tap Amz = p(t} — thi) +7. 
The procedure manipulates the formula ®3 as follows: 


For every i € [1,0] and every r: Z > [m] : 

If W$” (y) is satisfiable for some « E {y < t4, tp < y}, then let 04" & L, 

else 9%" © Jrz... Ixe(s = an ajt+ ara cj A Ke may = p;(tj — th_1) + r3). 
Define ®4 = V? ve zT e AD): 


Claim 7. ®3 = 4. 
Step V: Sum up the solutions. It remains to get rid of the variables x; introduced 
earlier. For each disjunct T; r A ®y" of ®4, we use the notation from Step IV. 
For every i € [1,0] and every r: Z > [m] : 
If ©% = L, then let be # 1, 
else let 627 & mge = n. = tja) +r; +m- B Ce 
Let Os = Vez Vo z-+[(m Tir A 5”). 
The procedure outputs ®5. The following claim implies Proposition 2. 
Claim 8. ®4 = ®5. The formula ®; is quantifier-free. 


4 Discussion, summary of results and roadmap 


The QE procedure for a single counting quantifier I-”y from Section 3 forms the 
basis of our results. In this section we discuss its use and lay out its applications. 


Analysis of the procedure. The next lemma establishes the growth of the formulae 
and their parameters in our quantifier elimination procedure. 


Lemma 5. Let ®5 be obtained from applying the QE procedure of Section 3 to 
a formula 3-¥x ®, where ® is quantifier-free and #vars(®) = d. Then: 


mod(®;) = {m} with m = k-lem(mod(®)) and k < ||hom(®)||#2"™™® , 
#lin(®5) < NO, _ ||lin(®5)|| < O(N) - |llin(®)], 
#hom(®;) < NC, ||hom(®5)|| < O(N) - ||hom(®)||,_ with N = m? - #lin(®). 


Remark 1. With minor changes to our procedure, one can obtain a QE pro- 
cedure for the quantifier J2%y. In particular, since J2*%y©® is true if there are 
infinitely many values for y that satisfy ®, Claim 4 needs to be updated so that 
$" © T is deduced, instead of B$” & L. Other minor adaptations are required, 
e.g. equalities “x = ...” and counting quantifiers 4-*/y appearing in Line 13 
must be updated to “a <...” =e 


and J2*jy. The resulting QE procedure for J2%y 
still adheres to the bounds in Lemma 5. 
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A consequence of Lemma 5 is that our QE procedure gives an algorithm for 
deciding a formula ® from PAC featuring multiple counting quantifiers 4-“y 


in time 2” E where the height of the tower is linear in the quantifier rank 
of ®. Indeed, in view of the upper bounds and equations given by Lemma 5 for 
#hom(®;), N, m, and k, we observe that the upper bound for #hom(®s5) is ex- 
ponential in #hom(®). This means that more fine-grained bounds are necessary 
for decision procedures with elementary complexity, i.e., with a running time 
bounded from above by a k-fold exponential in the size of the input formula. 


Elementary decision procedures. In view of this growth of the parameters, it 
is natural to ask ourselves whether our QE procedure is perhaps naively dis- 
regarding important properties of the underlying arithmetic theory that could 
lead to better bounds. A good test in this direction is to check whether improved 
bounds can be achieved when the procedure runs on restricted forms of counting 
quantifiers. In the remainder of the paper we show that this is the case, and ex- 
plain how the growth of parameters can be countered for restricted quantifiers, 
obtaining 3EXPTIME quantifier elimination procedures as well as 2EXPSPACE 
decision procedures for extensions of PA with a variety of counting quantifiers. 

As an example, let us consider Presburger arithmetic enriched with threshold 
quantifiers 37°y ®, where c € N is written in binary. These are satisfied whenever 
there are at least c distinct values for the variable y that make the formula ® true. 
Notice that the threshold counting quantifiers J7°y are a syntactic generalization 
of the first-order quantifiers, as J7!y® = Jy ®. Interestingly enough, one can 
translate threshold quantifiers into standard Presburger arithmetic with just a 
polynomial increase in the size of the formula. For simplicity, assume that the 
threshold c is a power of 2. Then, the quantifier J7°y can be internalized in PA 
by relying on the equivalence 


32y (y, z)  JuVulz%y: (v = 0 & y < u) A Gy, z) 


as well as J2!y® < Jy®. However, in terms of decision procedures, this is 
an inadequate solution, as it comes at the cost of introducing 2logc many 
quantifier alternations. Building upon the QE procedure from Section 3, we show 
how to directly eliminate threshold quantifiers. This proves that the increase in 
alternation depth that depends on the threshold c is unnecessary. 


Theorem 1. The validity of a formula ® from Presburger arithmetic with thresh- 
oO(1 
old counting quantifiers can be decided in STA(x, 22°! ’ O(fa())). 


This result matches the complexity of deciding standard PA in the case of un- 
bounded alternation depth. Thus, PA can be enriched with threshold quantifiers 
with almost no computational overhead. Note that a slight increase in number 
of alternations is still required, and goes from O(nr(®)) for PA to O(fd(®)) for 
PA with threshold counting quantifiers. 

We further strengthen Theorem 1, extending it to the case where the thresh- 
old c is encoded even more succinctly, as the unique solution of a PA formula 
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(zx) as long as this solution is bounded doubly-exponentially in |®|. An example 
of such a formula is (x) = dz: z=1AW,(a,z), where 


Wo(a,z) É £ = 2z, 
Wriilz, 2) Ž dyVavb: (a = x Ab = y) V (a =y Ab = z) > Yan (a,b), 


and the only solution is given by x = 2?” [7, Lecture 23], whilst |6| = O(n). The 
crux of our results lies in the identification of a fragment of PAC that we call 
monadically-guarded, for which the following theorem can be established. 


Theorem 2. Monadically-guarded PAC is decidable in 2EXPSPACE. 


In the next section, we introduce the monadically-guarded fragment of PAC 
and discuss extensions of PA that can be captured by this fragment. In Section 6, 
by adding post-processing to the procedure from Section 3, we show how to deal 
with any monadically-guarded counting quantifiers in 3EXPTIME. In Section 7 
we establish Theorem 2 by designing a quantifier relativization argument, con- 
tinuing the direction of research due to [12]. In Section 8 we prove Theorem 1. 


5 The monadically-guarded fragment of PAC 


Fix a logic £. A formula ®(2,z) from £, where z is a tuple of variables not 
including x, is said to be monadically decomposable on the variable x whenever 


e V, for some Y = V,_,(Ai(x) ATi(z)), 


where A; and [; are formulae from £. In this case, Y is said to be a monadic 
decomposition of ® on the variable z. 

The notion of monadic decomposition has been put forward by Veanes et 
al. in [11], as a general simplification technique that improves the performance 
of solvers. Here, our interest lies in studying whether the notion of monadic 
decomposability can bring complexity advantages for Presburger arithmetic with 
counting quantifiers. With this in mind, we consider formulae of PAC that we 
call monadically-guarded: those in which the quantifiers 4-*y only appear in 
subformulae of the form Jz (Y A Iy ®), where ® and Y are themselves from 
the monadically-guarded fragment of PAC, x does not occur in ®, and W is 
monadically decomposable on the variable x. The monadically-guarded fragment 
of PAC is understood as the set of all formulae from PAC that are monadically- 
guarded. This fragment captures several interesting extensions of PA: 


— It can express that the number of different y satisfying ®(y, z) lies in an 
arithmetic progression b, b+ p,b+2-p,b+i-p,..., with b,p € N. That is, 


sale SbAgS, b A Iy Oy, z)). 


This type of monadically-guarded formulae extends the modulo counting 
quantifiers studied by Habermehl and Kuske [4]. Modulo counting quantifiers 
are written as Iy ® and hold whenever the number of different y satisfy- 
ing ® is congruent to r modulo q. Hence, 3" y ® = Jz (x =p r A 3=*y®). 
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Moreover, in the monadically-guarded fragment, we can replace the integer r 
with an arbitrary linear term t with variables from z, since the modulo con- 
straint «=, t can be monadically decomposed into \/,<),)(% =p r At =p r). 
— As we recalled in the previous section with the formula Y, (x, z), it is known 
that PA allows one to succinctly encode numbers that are doubly or triply 
exponentially large with respect to the size of the formula. For instance, 
one can define a formula L,,(x), again of size polynomial in n, that is true 
whenever x is the product of all primes in the interval [2, 2?" ] (see [7, Lecture 


24]). In this case, x > 22°" for some fixed c > 0. The monadically-guarded 
fragment of PAC allows one to use these succinct representations as guards of 
counting quantifiers. For instance, Jx (L, (2) A\A-*y U(y, z)) is true whenever 
the number of y satisfying Ù (y, z) is the product of all primes in [2, 2?”]. 


Hague et al. [5] proved that constructing the monadic decomposition of a 
quantifier-free formula can be done in exponential time. More precisely, given a 
q.f. formula ®(x, y) from PA that is monadically decomposable on x, in [5] it is 
shown that there is a natural number B of magnitude exponential in |®| that 
makes the following formula V p(x, y) a monadic decomposition of ® on z: 


Wp fry ((e> BAt =m ch O(Bt+ey)) V (£ < -BA £ =m cA (-B — c, y))) 
V VŽ p4 (2 = cA ®(c,y)), 


where m = lcm(mod(®)). We study the arguments presented in [5] and refine 
the bound B, tracking dependencies on several formula parameters separately. 
We find that B is polynomial in ||®||; it is only exponential in #mod(@®) and in 
the number of variables of the tuple y. 


Proposition 3. Let (x,y) be a q.f. formula from PA, where y = (yi,---,Ya)- 
Let m = lem(mod(®)) and B = 248? (m . |lin(®)||)®* + 1. If ® is monadically 
decomposable on x, then the formula Yp is such a decomposition. 


Together with our QE procedure, Proposition 3 shows that it is decidable 
to check whether a formula of PAC is monadically decomposable (on a certain 
variable). Due to Theorem 2, this problem is in 2EXPSPACE for formulae of the 
monadically-guarded fragment of PAC. Besides, notice that all formulae having 
one free variable are monadic decompositions of themselves. 

Our QE procedure for the monadically-guarded fragment of PAC, outlined 
below, makes use of the sharper bound obtained in Proposition 3. 


6 Eliminating monadically-guarded counting quantifiers 


Consider a formula ®y = dx(W A Iy P), where © and Y are quantifier-free 
formulae, x does not occur in ®, and W is monadically decomposable on x. By 
relying on the QE procedure introduced in Section 3, we show how to obtain a 
quantifier-free formula equivalent to o. W.l.o.g., we assume that all free vari- 
ables distinct from x and y and occurring in ® and Y come from the tuple of 
variables z. 
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Below, let Y’ = V peg Ax(x) ^ V;.(z) be the monadic decomposition of Y on 
the variable x computed according to Proposition 3. Recall that this means that 
each Aņ is a formula having one among the following three forms: 


L>BAL=4¢ xz < —B ^T =, C; or LT, 


where q = lem(mod(W)), c € [q], r € [-B +1, B — 1] and B is a fixed natural 
number. Let us also consider the formula ®; obtained from performing the QE 
procedure for the J-*y counting quantifier on J-*y ®, so that Po = dx(W’ A Os). 
In particular, recall that ®5 = V} Vr: Zaim] (Tir ^g"), where Z is the set of 
variables appearing in z, m = lem(mod(®)) and T;,r = O; A (Nuez W =m r(w)) 
is a conjunction of an ordering O; and simple modulo constraints with variables 
from Z. Hence, IT; is z-free. Moreover, PY” is either L or a formula of the form 


ma = Djp (ty — th_y) +r) +m Dh c (2) 


where the terms t),...,t) are from T (where T is defined as in Step II of Sec- 
tion 3), and hence z-free. Therefore, the following property holds. 


Claim 9. In ®5, x only appears on the left-hand side of equalities of the form (2). 


This inconspicuous claim, together with the shape of Ax, is at the heart of 
our QE procedure eliminating x from the formula da(W’ A ®5). Indeed, after 
distributing the existential quantifier dx and all conjunctions over disjunctions 
of Y’ A ®;, we end up with a disjunction of formulae of the form da : A; (x) A 
Wx(z) ATi, Ag”, and let us consider one such disjunct with A;,(z) = (£ > 
B ^z =, c) and $” as in Equation (2). The variable x can be eliminated with a 


simple substitution, rewriting A, (a) A pi” as the new formula t > m- BACS rra 
m - c, where Ẹ is the right-hand side of Equation (2). The correctness of this 
rewrite step follows simply from the equivalences x > B&m-x>m.-.B and 
£ =q CS M: =m.q M: C, with m > 1. In a similar way, we can treat all possible 
cases for the different forms of A(x) and $”. We obtain a formula 


Plz) ATi AES m:-BAt=mq mC. (3) 


The number of homogeneous terms across all such disjuncts is still prohibitive as 
it was in ®5. Now comes the key simplification step; we deal with the inequality 
a >m- B and with the modulo constraint i= Ema MC. 

Consider the former first. By definition, all the coefficients p; of Equation (2) 
are non-negative, and thanks to the ordering O; appearing in I’;,,, in every 
valuation v satisfying the formula in Equation (3) we have v(t} — t;_,) = 0. 
Therefore, the eae t > m- B can be translated into a formula of the 
form Voce Na ot; — tj—1 = dg,j, where each dg j is non-negative and, for every 
g € G, the sum miy is at least e = m(B — a cj) — Ej rj. To 
compute this formula efficiently, we appeal to Lemma 2, with respect to the set 
of terms {t} — tj_1 | J € [2, 4} U [0, e]. 
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Lemma 6. Let d= |fv(O;At > m- BIN n time (e + £)° log(B - ||O,||)O one 
can compute a formula © = V jeg Na 2 t — tj—1 > dg,j s.t. (1) dg j € [0,e + 1], 
(2) #G < O((e+ £74), and (3) O; At>m: B = O;A9. 


A similar simplification can be done for the modulo constraint i= Sma M-E 
we guess residue classes of variables in t modulo m - q, rewriting t =m. q m-c into 
Vs: Zima] (t =m.qg M: CA Nzez Z =m-q $(2)) and then replace, in each disjunct, 
t =m m-c by T or L, according to the satisfaction of s(t) Zma Me. 

The steps just discussed forms the post-processing phase of our QE procedure 
for the monadically-guarded fragment of PAC. Thanks to Lemma 6, we can show 
that the set of homogeneous terms of the resulting quantifier free formula ®’, 
equivalent to ®g, is the set of homogeneous terms in the monadic decomposi- 
tion Y’, together with terms of the form t — t’ with t and t belong to the set T 
defined in Line 5. But #hom(W’) = O(#hom(®9)), and thus: 


Lemma 7. #hom(®’) < O(#hom(®p)”). 


Running time. Lemma 7 is the key to obtaining an elementary QE procedure. 
In particular, this improvement over the exponential dependence of #hom(®s5) 
on #hom(®) from our “baseline” Lemma 5 leads to the following bounds on the 
elimination of an arbitrary number of monadically-guarded quantifiers. 


Lemma 8. Let 2 be a formula from the monadically-guarded fragment of PAC, 
with quantifier rank d. There is an equivalent quantifier-free formula Y such that 


— #hom(T) < JQ)?” and #mod(Y) < O(|A)); 
XC 
— #lin(Y), ||const(Y)|, |hom(T)|| and ||mod(Y)|| are at most 2'*! 7 


Proof idea. In a nutshell, the bounds of Lemma 8 are obtained by first iterat- 
ing Lemma 7 across all quantifier elimination rounds. This results in the doubly 


exponential bound jar on the cardinality of the set of homogeneous terms 
throughout the entire procedure. With this bound in hand, exponentiation on 
the right-hand side of the inequalities of Section 3 does not blow the parameters 
above triple exponential. 


Subsequent analysis leads to the following result. 


Theorem 3. There is a 3EXPTIME quantifier elimination procedure for the 
monadically-guarded fragment of PAC. 


Theorem 3 follows by combining Lemma 8 with upper bounds on the run- 
ning time of a single quantifier elimination round. These upper bounds are all 
subsumed by the size of the obtained formulae, except possibly for the subdivi- 
sion procedure of Step II (Lemma 2), the model counting procedure of Step IV 
(Lemma 4), and the further subdivision performed by Lemma 6. For Lemmas 2 
and 6, the running time is only exponential in the size of the original formula, 
and thus polynomial time in the size of the obtained formula, as long as the latter 
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has at least exponential size. For Lemma 4, observe that m < ||mod(T)|], where 
Y is the quantifier-free formula of Lemma 8. Therefore, the bounds of Lemma 8 
suffice for a triply exponential time overall. 


Remark 2. Only small updates are necessary to treat monadically-guarded for- 
mulae of the form Jx(V(x,z) A J2*y®(y,z)). Again, these updates deal with 
the fact that, contrary to J-*y®, the formula J2*y® is true whenever there 
are infinitely many y satisfying ®, or alternatively when x corresponds to a 
non-positive number. Then, Lemma 8 can be established for formulae of PAC 
containing both monadically-guarded quantifiers J=* and IZ”. 


7 The monadically-guarded fragment is in doubly 
exponential space 


In this section, we prove Theorem 2. Theorem 3 shows that our QE procedure 
has the same asymptotic running time as the standard QE procedures for PA. 
Historically, bounds obtained from the latter lead to computationally optimal 
decision procedures based on quantifier relativisation [12,4]. More precisely, given 
a formula ® from PA, the QE procedures allow us to conclude that there is a 
bound C, of bitsize at most doubly exponential in |®|, such that da ® <= Jr : 
—C < x <CA® holds (a small-model property). Then, a quantifier relativisation 
procedure follows the semantics of the formula and naively tries all the possible 
assignments to x in [—C, C] whenever a quantifier Jx is encountered. With some 
bookkeeping, this procedure runs in 2EXPSPACE. In this section, we show that 
this is also the case for our QE procedure, leading to a 2EXPSPACE relativisation 
procedure for the monadically-guarded fragment of PAC, proving Theorem 2. 

First of all, we need to recall a folklore result regarding the existence of 
infinitely many solutions of a quantifier-free Presburger formula. 


Lemma 9. Letv be an assignment and ®(y,z) be a q.f. formula of PA, where 

z has d variables. Let C # ||®|| - d- max{1,|v(z)| : z is in z} + OU +1. 

1. If there are finitely many n E Z s.t. v[n/y] = ®, then they all satisfy |n| < C. 

2. If there are infinitely many n € Z such that v[n/y] = ®, then for every 
j E N4 there is such an n satisfying 7-C < |n| < (j +1)- C. 


Together with Lemma 8, this result leads to the relativisation of first-order 
quantifiers in the context of PAC. 


Lemma 10. There is a constant c with the following property. Let v be an 
assignment, ®(y,z) be a monadically-guarded formula of PAC, where z has d 


df gwi i 
= y® if and 


variables, and let C -max{l,|v(z)|: z is in z}. Then, v & 
only if v[n/y| = ® holds for some n € Z with |n| <3-C. 


We want to derive a similar lemma for monadically guarded counting quan- 
tifiers. First of all, we consider a formula ® = 4-*y U(y, z) where Y is a monad- 
ically guarded formula. Recall that ® is satisfied by an assignment v whenever 
the number of distinct values n € Z such that v[n/y] H} W is finite and equal 
to v(x). By relying on Lemmas 8 and 9, we show the following lemma. 
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Lemma 11. There is a constant c with the following property. Let v be an as- 
signment, and consider a formula ® = 4-*y Y (y, z) such that Y is a monadically 
def aoe 
def 9|Y]| 


guarded formula of quantifier rank d. Let C -max{1,|v(z)| : z is in z}. 
Then, v EE ® iff (i) vin/y] AY, for everyn € Z with C < |n| < 3-C; and 
(ii) #{n€ Z:|n| <C andv[n/y| = Y} = v(x). 


We now consider the outermost quantifier x of a monadically-guarded for- 
mula O = Jz (U(x, z) A Iy (y, z)), and aim at finding relativisation bounds 
for the variable x. Notice that the subformula U(x, z) A 4-*y ®(y, z) is not, 
strictly speaking, in the monadically-guarded fragment of PAC. However, we 
can first apply Lemma 8 and obtain quantifier-free formulae Y and ®’ equiva- 
lent to Y and ®, respectively. Then, we apply the QE procedure of Section 3 
on input 3~"y ®’, producing an equivalent quantifier-free formula ®. We have 
© = 3r (T ^ $), where Ẹ A @ is quantifier-free. Similarly to Lemma 10, we can 
now obtain relativisation bounds from 3z (Ẹ A $) by relying on Lemma 9: 


Lemma 12. There is a constant c with the following property. Let v be an 

assignment, and let © = da (U(x, z) A Iy ®(y, z)) be a monadically-guarded 
ed 

formula of quantifier rank d. Define C # 29?  . max{1,|v(z)| : z is in z}. 

Then, v = O if and only if there isn EN s.t. n < C and v|n/x] | UAA-*y®. 


Lemmas 10 to 12 allow to evaluate the truth of a sentence of the monadically- 
guarded fragment of PAC by recursively evaluating the truth of its subformulae, 
and iterating over a finite set of values when considering first-order and counting 
quantifiers. As all the considered values admit a binary encoding that is doubly 
exponential in the size of the input formula, this proves Theorem 2. 


8 A complexity characterisation 


By Theorem 2, for deterministic machines, the monadically-guarded fragment 
of PAC is no harder than standard Presburger arithmetic, and the same is true 
when considering monadically-guarded quantifiers J7*y (Remark 2). However, 
by Proposition 1, PA is not complete for 2EXPSPACE, but rather for the complex- 


ity class STA(x, 92I ,O(n)). This leads to the natural question on whether 
the monadically-guarded fragment of PAC is also complete for the same STA 
class. While we leave this question open, in this section we show a completeness 
result in the restricted case where all monadically-guarded quantifiers appear 
in the form Ja(W(x) A IZ®y ©), where W(x) is any formula from PAC having 


all models bounded by ge in absolute value. For brevity, let us denote this 
fragment by F. As F extends PA, proving the following upper bound suffices. 


Theorem 4. The validity of a sentence ® in F can be decided by an alternating 
oa) 
Turing machine with runtime 22"! and performing O(fd(®)) alternations. 


Since the equivalence 47°y ® & Jax : x = cAI2*y ®, where c € Z is written in 
binary, shows that F contains PA enriched with threshold counting quantifiers, 
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Function check(V : non-empty set of assignments, ® : formula from F) > {T, L} 
check(V,t <0) = if v Et<0 holds for all v € V then return T else return L. 
check(V, ®; V ®2) = if 3V1, V2 : V = Vi U Vz and check(Vi,®1) = check(V2,82) = T 
then return T else return L. 

check(V, ~Y) = if w € V : check({v}, Y) = T then return L else return T. 
check(V, Sa(W(ax) A 3**y O(y, z))) = if there is a family (W_)vev such that 

e check(U, cy Wr, VA O) = T, and 

e cach W, is either {ye [aln /y]} or {vk /z][n\” /y] : i € [1, k} 

where |k] < ne 
let C be defined as in Lemma 13, w.r.t. v and W; 
n™) € Z such that C < |n] <3-C; 
n”| < © for every i € [1, k™]; and 
n) # ni) for every two distinct i, j € [1,k] 

then return T else return L. 


Fig. 1. Deciding whether a formula ® from F is satisfied by all assignments in V. 


this result implies Theorem 1. To establish Theorem 4, the first step is to rely 
on Lemmas 8 and 9 and adapt the proof of Lemma 11 to obtain a quantifier 
relativisation argument for the counting quantifier J7“y. 


Lemma 13. There is a constant c with the following property. Let v be an as- 
signment, and consider a formula ® = 42*y Y (y, z) such that Y is a monadically 
def 2ed 
def o|] 


guarded formula of quantifier rank d. Let C -max{1,|v(z)| : z is in z}. 
Then, v = iff (i) there is nE Z s.t. v[n/y] = ¥ and C < |n| <3-C, or 
(ii) #{n €Z: |n| <C and v|n/y] H| Y} > v(x). 


With Lemma 13 at hand, designing an algorithm that can be implemented as 
an alternating Turing machine with resources bounded as in Theorem 4 is simple. 
The function check(-,-) given in Figure 1 provides such an algorithm. 


Lemma 14. check(V,®) returns T if and only if for alv E V, v =®. 


When © is a sentence, i.e. fv(®) = 0, this lemma implies that © is valid if and 
only if check({v}, ®) = T, where v is an arbitrary assignment. Then, Theorem 4 
follows by establishing that check(-,-) can be implemented with an alternating 


Turing machine that, on input ({v},®) where © is a sentence in F, runs in time 
ot) 
gai"! and performs O(fd(®)) many alternations. We see the existential quan- 


tifications on Vi, V2, v and (W,) ev in Lines 2, 4 and 5 as guesses done by the 
alternating Turing machine. The computation in Line 1 is done deterministically 
in time polynomial in the encoding of V and t < 0. In Line 2, the alternating 
Turing machine decides which branch among check(V;,®,) and check(V2,®2) 
must be evaluated, at the cost of one alternation. In this way, alternations occur 
only in the case of check(V,®1 V ®2) and check(V,-W), as the latter returns the 
negation of the assertion “Av € V : check({v}, Y) = T”. This leads to O(fd(®)) 
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many alternations overall. Let us now discuss the runtime of check(-,-), again 
on alternating Turing machines. Assume that, after a certain number of recur- 
sive calls including at most r < qr(®) calls to Line 5, the algorithm evaluates 
the input (V’, Y). Then, the number of assignments in V’ is bounded by grat 
(this correspond to the case where each W, in Line 7 contains the maximum 
amount of assignments, according to k‘”)), and following the bounds on the num- 
bers n”) and nl) in Lines 10 and 11 and by Lemma 13, all these assignments 


ed 
map each variable to an integer that is, in absolute value, bounded by gr lel? ; 


where c is the constant of Lemma 13 and d is the number of variables in ®. 
So, as the number of recursive calls to check(-,-) is bounded by |®|, no more 
than || - 2% (@)-2"" logy (20°(@)127°") < 22°" space is required to represent 
all possible sets of assignments that are generated throughout the evaluation of 
check(-,-). All the assignments are guessed by the alternating Turing machine 
and thus, when also accounting for the computation done in Line 1, we conclude 


oa) 
that check({v},®) runs in time 2°". 


9 Conclusion 


We developed a new quantifier elimination procedure for Presburger arithmetic 
extended with the unary counting quantifiers (PAC), and adapted it for its 
monadically-guarded fragment. While the existence of an algorithm for PAC 
running in elementary time is wide open, our procedure runs in 3EXPTIME on 
the monadically-guarded fragment and leads to the small-model property and 
relativisation argument, which show that this logic is decidable in 2EXPSPACE. 
When it comes to deterministic algorithms, this matches the complexity of decid- 
ing standard Presburger arithmetic. However, fully settling the complexity of the 
monadically-guarded fragment of Presburger arithmetic seems to require a gen- 
eralisation of the STA complexity framework to capture counting mechanisms, 
which we leave as an avenue for further investigation. In this direction, we have 


shown that Presburger arithmetic is still STA (x, gon ,O(n))-complete when 
enriched with threshold quantifiers J2°y, for the case of c written in binary but 
also even for the case of c represented succinctly as a solution of a Presburger 
formula ®, characterising a number that may be doubly exponential in |®}. 
With respect to our QE procedure for (general) unary counting quanti- 
fiers 377, we have pinpointed precisely where the non-elementary growth oc- 
curs. It remains to be seen whether our procedure can be further improved, or 
if, possibly based on insights obtained from it, a non-elementary lower bound for 
Presburger arithmetic extended with the 4~*y quantifier can be established. 
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Abstract. Linear Temporal Logic (LTL) is one of the most popular tem- 
poral logics, that comes into play in a variety of branches of computer sci- 
ence. Its widespread use is also due to its strong foundational properties. 
One of them is Kamp’s theorem, showing that LTL and the first-order 
theory of one successor (S1S[FO]) are expressively equivalent. Safety and 
co-safety languages, where a finite prefix suffices to establish whether a 
word does not or does belong to the language, respectively, play a cru- 
cial role in lowering the complexity of problems like model checking and 
reactive synthesis for LTL. Safety-LTL (resp., coSafety-LTL) is a fragment 
of LTL where only universal (resp., existential) temporal modalities are 
allowed, that recognises safety (resp., co-safety) languages only. 

In this paper, we introduce a fragment of S1S[FO], called Safety-FO, and 
its dual coSafety-FO, which are expressively complete with regards to the 
LTL-definable safety languages. In particular, we prove that they respec- 
tively characterise exactly Safety-LTL and coSafety-LTL, a result that 
joins Kamp’s theorem, and provides a clearer view of the charactisations 
of (fragments of) LTL in terms of first-order languages. In addition, it 
gives a direct, compact, and self-contained proof that any safety language 
definable in LTL is definable in Safety-LTL as well. As a by-product, we 
obtain some interesting results on the expressive power of the weak to- 
morrow operator of Safety-LTL interpreted over finite and infinite traces. 


1 Introduction 


Linear Temporal Logic (LTL) is the de-facto standard logic for system specifica- 
tions [14]. It is a modal logic that is usually interpreted over infinite state se- 
quences, but the finite-trace semantics has recently gained attention as well [6,7]. 
The widespread use of LTL is due to its simple syntax and semantics, and to its 
strong foundational properties. Among them, we would like to mention the semi- 
nal work by Kamp [10] and Gabbay et al. [8], on its expressive completeness, i.e., 
LTL-definable languages are exactly those definable in the first-order fragment 
of the monadic second-order theory of one successor [3] (S1S[FO] for short). 


© The Author(s) 2022 
P. Bouyer and L. Schröder (Eds.): FoSSaCS 2022, LNCS 13242, pp. 244-263, 2022. 
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In formal verification, an important class of specifications is that of safety 
languages. They are languages of infinite words where a finite prefix suffices 
to tell whether a word does not belong to the language. As an example, the 
set of all and only those infinite sequences where some particular bad event 
never happens can be regarded as a safety language. In their duals, co-safety 
languages (sometimes called guarantee languages), a finite prefix is sufficient to 
tell whether a word belongs to the language, e.g., when some desired event is 
mandated to eventually happen. Safety and co-safety languages are important 
for verification, model-checking, monitoring, and automated synthesis because 
they capture a variety of real-world requirements while being much simpler to 
deal with algorithmically [1, 11, 20]. 

Safety-LTL is the fragment of LTL where only universal temporal modalities 
are allowed. Similarly, its dual coSafety-LTL is obtained by only allowing exis- 
tential modalities. It has been proved by Chang et al. [5] that Safety-LTL and 
coSafety-LTL define exactly the safety and co-safety languages that are definable 
in LTL, respectively. 

In this paper, we provide a novel characterization of LTL-definable safety lan- 
guages, and of their duals, in terms of a fragment of S1S[FO], called Safety-FO, 
and its dual coSafety-FO. The presented fragments have a very natural syntax, 
and we prove they are expressively complete with regards to LTL-definable safety 
and co-safety languages. We prove the correspondence between coSafety-FO and 
coSafety-LTL, which extends naturally to their duals and can be considered as 
a version of Kamp’s theorem [10] specialized for safety and co-safety properties, 
helping to create a clearer picture of the correspondence between (fragments 
of) temporal and first-order logics. We exploit such a result to prove the corre- 
spondence between co-safety languages definable in LTL and coSafety-FO, thus 
establishing also the equivalence between the former and coSafety-LTL. This pro- 
vides a proof of the fact that Safety-LTL captures exactly the set of LTL-definable 
safety languages [5], which can be regarded as another contribution of the paper. 
The interest of our proof is twofold: on the one hand, the original proof by Chang 
et al. [5] is only sketched and it relies on two non-trivial translations scattered 
across different sources [16,21]; on the other hand, such an equivalence result 
seems not to be very much known, as some authors presented the problem as 
open as lately as 2017 [20].4 Thus, a compact and self-contained proof of the 
result seems to be a useful contribution for the community. It is worth to note 
that both proofs build on the fact that safety/co-safety languages can be cap- 
tured by formulas of the form Ga/Fa with a pure-past, but after that, the two 
proofs significantly diverge. Finally, as a by-product of this proof, we provide 
some results that assess the expressive power of the weak tomorrow operator of 
Safety-LTL when interpreted over finite vs. infinite traces. 

The paper is organized as follows. After recalling necessary background knowl- 
edge in Section 2, Section 3 introduces Safety-FO and coSafety-FO and proves 
their correspondence with Safety-LTL and coSafety-LTL. Then, Section 4 proves 


4 As a matter of fact, we discovered about Chang et al. [5] after setting up the proof 
shown in this paper. 
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their correspondence with the set of safety and co-safety languages definable 
in LTL, thus providing a compact and self-contained proof of the equivalence 
between Safety-LTL and LTL-definable safety languages. Some properties of the 
weak next operator are outlined as well. Finally, Section 5 concludes the paper 
with some final considerations and a discussion of future work. 


2 Preliminaries 


Let A be a finite alphabet. We denote as A* and A” the set of all finite and 
infinite words, respectively, over A. We let At = A* \ {e}, where £ is the empty 
word. Given a word ø € A* we denote as |o| the length of ø. For an infinite 
word o € A”, |o| = w. For a (finite or infinite) word ø, we denote as o; € A, 
for 0 < i < |o|, the letter at the i-th position of the word. With oj,;), for 
0<i<j< |o|, we denote the subword that goes from the i-th to the j-th letter 
of the word, extrema included. With o, œ] we denote the suffix of o starting 
from the i-th letter. Given a word o € A* and o’ € A* U A”, we denote the 
concatenation of the two words as o - o’, or simply oo’. A language L, either 
L C A* or L C A”, is a set of words. Given two languages £ and L' with £L C A* 
and either L’ C A* or L' C A”, we define L- L' = {0 -o' | o € Lando’ EL}. 
For a finite word o = o9...o0% let o” = o¢...00 be the reverse of a, and for a 
language of finite words £ let £L” = {o” | o € £L}. We can now define safety and 
co-safety languages. 


Definition 1 (Safety language [11,19]). Let £L C A”. We say that L is a 
safety language if and only if for all the words o € A“ it holds that, if o ¢ L, 
then there exists ani E€ N such that, for all o' € A”, ojo: o" Z L. The class of 
safety languages is denoted as SAFETY. 


Definition 2 (Co-safety language [11,19]). Let £L C A”. We say that L 
is a co-safety language if and only if for all the words o € A” it holds that, if 
a € L, then there exists ani E€ N such that, for all o' € A”, Ojo +o" € L. The 
class of co-safety languages is denoted as coSAFETY. 


Linear Temporal Logic with Past (LTL+P) is a modal logic interpreted over 
infinite or finite words. Given a set X of proposition variables, the syntax of an 
LTL formula ¢ is generated by the following grammar: 


o := p | =: | 91 V Q2 | d1 A Q2 Boolean connectives 
| Xr | X¢1 | O1U $2 | 91 R Q2 future modalities 
| Yor | Z¢1 | ġ1 S G2 | G1 T Q2 past modalities 


where ¢; and ¢2 are LTL+P formulas and p € X. An LTL+P formula is a pure 
future formula if it does not make use of past modalities, and it is pure past 
if it does not make use of future modalities. We denote with LTL the set of 
pure future formulas, and with LTLp the set of pure past formulas. Most of the 
temporal operators of the language can be defined in terms of a small number 
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of basic ones. In particular, conjunction can be defined in terms of disjunction 
(d1 A ¢2 = 7(7¢1 V 7¢2)), the release operator can be defined in terms of the 
until operator (¢1 R ¢2 = >(7¢1 U >¢2)), and the triggered operator can be 
defined in terms of the since operator (¢1 T ¢2 = =(=¢ġ1 S ¢2)). Nevertheless, 
we consider all these connectives and operators as primitive in order to be able 
to put any formula in negated normal form (NNF), i.e., a form where negations 
are only applied to proposition letters. Note that the syntax includes both a 
tomorrow (X@) and weak tomorrow (X@) operators, as well as a yesterday (Yd) 
and weak yesterday (Z@) operators, for the same reason. Moreover, standard 
shortcut operators are available such as the eventually (Fé = TU ¢), and always 
(Gd = —F-¢@) future operators, and the once (Od = T S 6), and historically 
(Hé = =O-¢) past operators. 

LTL+P is interpreted over state sequences, which are finite or infinite words 
over 27. Given a state sequence a € (2%)* or o € (2”)*, the satisfaction of a 
formula ¢ by o at a time point i > 0, denoted as 0,7 = 4@, is defined as follows: 


l. at Fp iff pE ci; 

2. o, i E ago if aid; 

3. o, i H dV dbo iff o,t Ed) or g,i EF oo; 

4. a,iE di Ado iff ot E di and g,i E dy; 

5. a,i EXP if i+1<|o|ando,i+1E 4; 

6. a,i EXO iff either i+1=|o|orait+t1E¢; 

7. oi | Yo if i>0 and g,i— 1H ĝ; 

8. oi =| Zo if either i = 0 or o,i — 1 H ġ; 

9. a,i = p1 U do iff there exists i < j < |o| such that ø, j E de, 
and g, k — @; for all k, with i < k < j; 

10. a,i H} ġı S d2 iff there exists 7 < i such that ø, j E do, 
and g, k = ġı for all k, with j < k < i; 

ll. o,t Edi Redo iff either ø, j = ¢ for all i < j < |o|, or there exists 
k > i such that g, k — ġı and 
o, j =| Q2 for all i < j < k; 

12. o, i | ¢, T bo iff either g, j = ¢ for all O < j < i, or there exists 
k < i such that ø, k = ġı and 


o, j | Q2 foral i> j >k 

We say that a state sequence o satisfies ¢, written o = ¢, if 0,0 = ¢. Note 
that, when interpreted over an infinite word, the tomorrow and weak tomorrow 
operators have the same semantics. The language of ¢, denoted as L(¢), is the 
set of words g € (27)® such that o = ¢. The language of finite words of ¢, 
denoted as L<“(¢), is the set of finite words ø € (2¥)* such that o } ¢. Given 
a logic L (e.g., LTL), we denote as [L] the set of languages £ such that there is a 
formula ¢ € L such that £L = L(¢), and we denote as [L] S” the set of languages 
of finite words £ such that there is a formula ¢ € L such that £ = L<” (¢). Note 
that [LTL]<“ is usually called LTLf in the literature [6]. 

We now define the two fragments of LTL that are the subject of this paper. 


Definition 3 (Safety-LTL and coSafety-LTL [17]). The logic Safety-LTL (resp. 
coSafety-LTL) is the fragment of LTL where, for formulas in negated normal 
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form, only the tomorrow, weak tomorrow and release (resp. until) temporal 
operators are allowed. 


We also define the logic coSafety-LTL(—X) as the logic coSafety-LTL devoid 
of the weak tomorrow operator (this logic will play a central role in our proofs). 

In the next Section we present two fragments of the first-order theory of 
one successor [2,3], namely S1S[FO], or simply FO in the following. Fixed 
an alphabet X, FO is a first-order language with equality over the signature 
(<,{P}pex), and is interpreted over structures M = (DM, <™“,{P™} en) 
where D™, for our goals, is either the set N of natural numbers or a prefix 
{0,...,n} thereof, and <™ is the usual ordering relation between natural num- 
bers. Given an FO formula ¢(20,...,2m) with m + 1 free variables, the satis- 
faction of @ by a first-order structure M when £o = no,.-..,%m = Nm, denoted 
as M,1no,.--,%m = $(Xo0,---,;L2m), is defined following the standard first-order 
semantics. State sequences over X map naturally into such structures. Given a 
word ø € (2™)* or ø € (2”)”, we denote as (o) the corresponding first-order 
structure. Given a formula ¢(a) with exactly one free variable, the language of 
ġ, denoted as £L(¢), is the set of words ø € (2~)” such that (c)°,0 = ¢. Sim- 
ilarly, the language of finite words of ¢, denoted as £L<“(¢), is the set of finite 
words ø € (2~)* such that (o) = o. We denote as [FO] and [FO]<* the set of 
languages of infinite and finite words, respectively, definable by a FO formula. 

Given a class of languages of finite words [L]<“, we denote as [L]<” - (2¥)” 
the set of languages [L]<“ -(2¥)” = {£-(2”)” | £ € [L]<“}. We recall now some 
known results. 


Proposition 1 (Kamp [10] and Gabbay [8]). 
[LTL] = [FO] and [LTL] <“ = [FO]<’. 


Finally, we state a normal form for LTL-definable safety /co-safety languages. 


Proposition 2 (Chang et al. [5], Thomas [19]). A language £ € [LTL] is 
safety (resp. co-safety) if and only if it is the language of a formula of the form 
Ga (resp. Fa), where a € LTLp. 


3 Safety-FO and coSafety-FO 


In this section we introduce the core contribution of the paper, i.e., two fragments 
of FO that precisely capture Safety-LTL and coSafety-LTL, respectively, and we 
prove this relationship. A summary of the results provided by the paper is given 
in Fig. 1. 


Definition 4 (Safety-FO). The logic Safety-FO is generated by the following 
grammar: 


atomic := x < y | x = y | x # y | P(x) | ~P (£x) 
Q := atomic | b1 V $2 | 1 A Q2 | Fyz < y < z A Q1) | Vue < y > $1) 


where x, y, and z are first-order variables, P is a unary predicate, and ġı and 
Q2 are Safety-FO formulas. 
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[LTL] N SAFETY 


[LTL] N coSAFETY 
Chang et al. [5] 


[Safety-LTL] 
[coSafety-LTL] [LTL] <” 


meo 6 and 7 | 1 Lemma | 
[coSafety-LTL]<* - (2”)” =[coSafety-LTL(—X)] <” - (2%)” [coSafety-LTL] <” 2[coSafety-LTL(—X)] <” 
+ Theorem 4 
i} 
Kamp Corollary | 
1 
i 
[coSafety-FO] [FO] <“ D [coSafety-FO]<” 


Fig. 1. Summary of the results of the paper, about languages over infinite words on 
the left, and over finite words on the right. Solid arrows are own results. Dashed arrows 
are known from literature. 


Definition 5 (coSafety-FO). The logic coSafety-FO is generated by the following 
grammar: 


atomic := x < y | x = y | x £ y | P(x) | =P (x) 
<= atomic | $1 V $2 | 1 A Q2 | Sue < y A 1) | Vy(@ < y < z > $1) 


where x, y, and z are first-order variables, P is a unary predicate, and ġı and 
Q2 are coSafety-FO formulas. 


We need to make a few observations on the syntax of the two fragments. 
First of all, note how any formula of Safety-FO is the negation of a formula 
of coSafety-FO and vice versa. Then, note that the two fragments are defined 
in negated normal form, i.e., negation only appears on atomic formulas. The 
particular kind of existential and universal quantifications allowed are the cul- 
prit of these fragments. In particular Safety-FO restricts any existentially quan- 
tified variable to be bounded between two already quantified variables. The 
same applies to universal quantification in coSafety-FO. Moreover Safety-FO and 
coSafety-FO formulas are future formulas, i.e., the quantifiers can only range 
over values greater than already quantified variables. These two features are 
essential to precisely capture Safety-LTL and coSafety-LTL. Finally, note that 
the comparisons in the guards of the quantifiers are strict, but non-strict com- 
parisons can be used as well. In particular, Sy(a < y A ¢) can be rewritten as 
oly/x] V Iy(xz < yA), where ¢[y/z] is the formula obtained by replacing all 
occurrences of y with x. Similarly, Vz(a < z < y > @) can be rewritten as 
olz/a] A blz/y] AVz(a < z < y = ¢). 

To prove the relationship between Safety-LTL, coSafety-LTL, and these frag- 
ments, we focus now on coSafety-FO. By duality, all the results transfer to 
Safety-FO. We focus on coSafety-FO because the unbounded quantification is ex- 
istential, and it is easier to reason about the existence of prefixes than on all the 
prefixes at once. We start by observing that, since the weak tomorrow operator, 
over infinite words, coincides with the tomorrow operator, the following holds. 


Observation 1. [coSafety-LTL] = [coSafety-LTL(—X)] 
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When reasoning over finite words, the weak tomorrow operator plays a crucial 
role, since it can be used to recognize when we are at the last position of a word. 
In fact, the formula o,i = XL is true if and only if i = |o|—1, for any ø € (2”)*. 

Now, let us note that, thanks to the absence of the weak tomorrow operator, 
we can in some sense reduce ourselves to reasoning over finite words. 


Lemma 1. [coSafety-LTL(—X)] = [coSafety-LTL(—X)]<* - (27)” 


Proof. We have to prove that, for each formula ¢ € coSafety-LTL(—X), it holds 
that: 


Ld) = L<*(g) - (2”)* 


We proceed by induction on the structure of ¢. For the base case, consider 
@ =p € X. The case for ¢ = ~p is similar. Let o € L(p). It holds that oo = p 
and co: o’ = p, for all o’ = (2”)*, and in particular for o’ = P[1,00): This is 
equivalent to say that o € L<“(¢) - (2¥)”. For the inductive step: 


1. Let ¢ = ¢1 A 2. Suppose that o € L(d). Obviously, o = ¢ı and o |= 
$2, and therefore o € L(¢1) and o € L(¢2). By the inductive hypothesis, 
o € LSY (1) - (2%)* and o € L<“(d2) - (2”)”. This means that there exist 
two indices 7,7 € N such that ojo4) H| ¢1 and ajoj] = $2. Let m be the 
greatest between i and j. It holds that oom) H| ¢1 A ¢2. Therefore o € 
L| (Qi A ¢2) g (Q28; 

2. Let 6 = ¢ġı V 2 and let o € L(¢). We have that o = ¢ġı or o F do. 
Without loss of generality, we consider the case that o |= ġı (the other case 
is specular). By the inductive hypothesis, o E€ L<” (ġ1)- (27)®. Therefore, it 
also holds that o € L<“(¢1 V ¢2) (257). 

3. Let d = X¢, and let o € L(X¢1). By the semantics of the tomorrow operator, 
it holds that of1,.0) = ¢1. By the inductive hypothesis, o,o) € £<“(¢1) - 
(2”)”. This means that there exists an index i > 1 such that op, H ¢1. 
Therefore, it also holds that the state sequence Gjo] = 09-0714] satisfies Xd1 
over finite words, that is, ojo} = X¢1. This means that o € LS” (X¢1)-(2”)”. 

4. Let 6 = o,Udo. Let o € £(¢). By the semantics of the until operator, it holds 
that there exists an index 7 € N such that oj...) = ¢2 and fj...) E $1 for all 
0 < j < i. By the inductive hypothesis, we have that oļi oo) E L<“(¢2):(2*)” 
and ajj) E LS” (Q1) - (2¥)* for all 0 < j < i. This means that there exists 
an index 7 € N and i+ 1 indices ko,...,k; € N such that oqti k; = ¢2 and 
Tijk] H ¢ı for all 0 < j < i. Let m be the greatest between ko,..., ki. It 
holds that there exists an index i € N such that Tim] = Q2 and Ojjm] F $1 
for all 0 < j < i. Therefore, o E€ LS“ (p1 U p2) (27)”. 


The same property applies to coSafety-FO as well. 
Lemma 2. [coSafety-FO] = [coSafety-FO]<“ - (2”)” 


Proof. We have to prove that, for each formula ~ € coSafety-FO with one 
free variable, it holds that L(Y) = L<” (4%) - (2”)”. We proceed by induction, 
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but with a more general statement. Let (a ,...,2%) have k free variables. 
We prove by induction on ¢ that for any infinite state sequence ø such that 
(o)°,m1,.--,Me HE O(@1,..., 2%), there exists a prefix ojo, of o such that for 
all o” € (2)”, (o0,40")°,m1,---,Mk H O(x1,.-.,@%). The base case considers 
the four kinds of atomic formulas. If (a)*,n1,nq = zı < x2, then nı < nə 
and we know that (o)0,n,}0")*,n1,n2 = £1 < z2 for all o’ € (2*)*. The case of 
zı = £ is similar. Now, if (o)°,nı H P(x1), then p E€ on, and we know that 
(F0,n1]0)*, nı  P(a1) for all o’ € (2*)*. The case for —P(x1) is similar. For 
the inductive step: 


1. if (o), ni,..., np H| O1(a1,.--, Ue )Adbe(21,..-,2%), by the induction hypoth- 
esis we know that there are two prefixes ojo] and ojo,;; such that, respec- 


tively, (ojoo), ni,- Nk E di(ar,.-.,%%) and (o~07)?,m1,....%% E 
$2(x1,-.-,@%), for all o',o” € (2”)*. Then, supposing w.l.0.g. that i < j, we 
know that ([9,;)0"),71,---,m& HE ġ1(21,.--,2k) A b2(a1,-.-, 2%). The case 
for dı (z1,..., 2k) V 2(z1,..., £k) is similar. 

2. If Lae iiei np = Aina (hs < p41 A Q1(£1,...,£k41)) for some 1 < 
u < k, then there exists an npy1 > Nu such that (o), ni,...;Nk+1 = 
$1(@1,---,;€41). This i that (ojog), ni,- Ngy E bi(ai,...,2R41) 
for some i > 0 and all o’ € (2”)*, by the induction hypothesis. It follows 
that (070,40), ni,- --; nk HE Sere < Up41 A b1(@1,---,Le41))- 

3. if (a), ni,..., Np H Vtpsi(@u < k41 < Ly > Q1(£1,..-, Ek41)) for some 
1 < u,v < k, then for all nk}ı with ny < ney < my it holds that 
(ao) ni... M41 F 91(z1,...,£k+1). Then, for the induction hypothesis, 


for all nk}ı with Nnu < Nk+1 < my there is a prefix i tana ul such that 


(Clo,inp 1117) Ms wees Meet E b1(21,..., 2k41) for all o’ € (2¥)*. Then, if 
Ne = MAXn, <ny41<ny (ingy1) it holds that: 


(Fone )°s na, 22+, Nk = VEk+1 (Tu < Tk+1 < Ly `> o1(21, ee ,Zk+1)) 


Now, let y(x) be a coSafety-FO formula with exactly one free variable z. 
Thanks to the above induction we can conclude that each infinite state sequence 
o such that (c)*°,0 = ġ(x) is of the form ojo, - 0’, where (ojo)? H| o(x), and 
this implies that L(Y) = L<” (4) - (2%)*. 


It is worth to note that Lemmas 1 and 2 show that coSafety-LTL(—X) and 
coSafety-FO are insensitive to infiniteness as defined by De Giacomo et al. [9]. 

Then, we can focus on coSafety- a X) and coSafety-FO on finite words. If 
we can prove that {coSafety-LTL(—X)]<S” = [coSafety-FO]<*, we are done. At 
first, we show how to encode coSafety-LTL(—X) formulas into coSafety-FO. 


Lemma 3. [coSafety-LTL(—X)]<” C [[coSafety-FO] <“ 


Proof. Let L € [coSafety-LTL(—X)]<“, and let ġ € coSafety-LTL(—X) such that 
L = L<“(¢). By following the semantics of the operators in ¢, we can obtain an 
equivalent coSafety-FO formula fo. We inductively define the formula F'O(¢, x), 
where z is a variable, as follows: 
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FO(p,x) = P(x), for each p € X 
FO(=>p, x) = >P(a), for each p € X 
— FO Qı A Q2, £) = FO(q1,2) A FO(d¢2, x) 
FO Qı Vv 2,2) = FO(¢1, x) vV FO(¢2, £) 
— FO(X¢1, x£) = Jy(x < yAy=24+1A FO(¢1,y)) 
where y = x + 1 can be expressed as Vz(a < z < y > L). 
— FO(ġı U ġ2,£) = dy(a < y A FO(¢2,y) A Yz(z < z < y > FO(¢1,z))) 


For each ¢ € coSafety-LTL(—X), the formula FO(¢, x) has exactly one free vari- 
able x. It is easy to see that for all finite state sequences ø € (2”)*, it holds that 
o = ¢if and only if (0)°,0 E FO(¢, x), and FO(¢, x) € coSafety-FO. Therefore, 
L € [[coSafety-FO]<“. 


It is time to show the opposite direction, i.e., that any coSafety-FO formula 
can be translated into a coSafety-LTL(—X) formula which is equivalent over finite 
words. To prove this fact we adapt a proof of Kamp’s theorem by Rabinovich [15]. 
Kamp’s theorem is one of the fundamental results about temporal logics, which 
states that LTL corresponds to FO in terms of expressiveness. Here, we prove a 
similar result in the context of co-safety languages. The proof goes by introducing 
a normal form for FO formulas, and showing that (i) any coSafety-FO formula 
can be translated into such normal form and (ii) any formula in normal form 
can be straightforwardly translated into a coSafety-LTL(—X) formula. We start 
by introducing such a normal form. 


Definition 6 (SV-formulas). An iV-formula $(20,...,2m) with m free vari- 
ables is a formula of this form: 


$(Z0,--+;2m) = Aa... Ary, ( 
Lo < T1 <`: < Tn ordering constraints 
m 
A 2 = £o ^ \ (Zk = Tip) binding constraints 
k=1 
n 
A VAN aj(xj) punctual constraints 
j=0 


n 
A \ Vy(aj-1 <y < zj > B;(y))) interval constraints 


where ig € {0,...,n} for each 0 < k < m, anda, and pj, for each1 <j <n, 
are quantifier-free formulas with exactly one free variable. 


Some explanations are due. Each 4V-formula states a number of requirements 
for its free variables and for its quantified variables. Through the binding con- 
straints, the free variables are identified with a subset of the quantified variables 
in order to uniformly state the punctual and interval constraints, and the or- 
dering constraints which sort all the variable in a total order. Note that there 
is no relationship between n and m: there might be more quantified variables 
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than free variables, or less. Note as well that the binding constraint zo = £o is 
always present, i.e., at least one free variable has to be the minimal element of 
the ordering. This ensures that 4V-formulas are always future formulas. 

We say that a formula of coSafety-FO is in normal form if and only if it is a 
disjunction of 4V-formulas. To see how formulas in normal form make sense, let 


us immediately show how to translate them into coSafety-LTL(—X) formulas. 


Lemma 4. For any formula $(z) € coSafety-FO in normal form, with a single 
free variable, there exists a formula Y € coSafety-LTL(—X) such that L<“(6(z)) = 
L (4%). 


Proof. We show how any 3V-formula is equivalent to an coSafety-LTL(—X)- 
formula, over finite words. Since each formula in normal form is a disjunction of 
4v-formulas, and since coSafety-LTL(—X) is closed under disjunction, this implies 
the proposition. Let ¢(z) be a 4V-formula with a single free variable. Having only 
one free variable, (z) is of the form: 


Izo... In (£0 < + < En A Z = £0 
n n 

A Nale) A N Vylaj-1 <y < z; > B;(y))) 
j=0 j=1 


Now, let A; be the temporal formulas corresponding to a; and B; be the ones 
corresponding to (;. Recall that a; and 8; are quantifier free with only one free 
variable, hence this correspondence is trivial. Since z is the first time point of 
the ordering mandated by the formula, we only need future temporal operators 
to encode ¢ into a coSafety-LTL(—X) formula 4% defined as follows: 


It can be seen that o,k } w if and only if (o), k H @(z), for each o € (2%) 
and each k > 0. Thus, £<“(d(z)) = LS (4). 


Two differences between our 3V-formulas and those used by Rabinovich [15] 
are crucial: first, we do not have unbounded universal requirements, but all 
interval constraints use bounded quantifications, hence we do not need the always 
operator to encode them; second, our V-formulas are future formulas, hence we 
only need future operators to encode them. 

We now show that any coSafety-FO formula can be translated into normal 
form, that is, into a disjunction of 4V-formulas. 


Lemma 5. Any coSafety-FO formula is equivalent to a disjunction of 4V-formulas. 


Proof. Let ¢ be a coSafety-FO formula. We proceed by structural induction on 
@. For the base case, for each atomic formula (zo, 21) we provide an equivalent 
Av-formula w(zo, 21): 


1. if $ = 2% < zı then Y = Jzor (zo = zo A 21 = £1 A To < 21); 
2. if $ = zo = 21, then Y = Jzo(zo = £o A 21 = £o). 
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if 6 = zo # 2, we can note that @ = z < 21 V z1 < zo and then apply 
Item 1; 


. If 6 = P(z) then we define Y% := Jxo(zo = £o A P(zo)). Similarly if ọ = 


=P(z0). 

the inductive step: 

The case of a disjunction is trivial. 

If é(z0,.--, 2k) is a conjunction, by the inductive hypothesis each conjunct is 
equivalent to a disjunction of SV-formulas. By distributing the conjunction 
over the disjunction we can reduce ourselves to the case of a conjunction 
W1(20,---, Zk) AWe(Z0,---, 2%) of two AV-formulas. In this case we have that: 


yp = Jap... dt, (£0 < +++ < En Azo = 20A...) 


pa = Aang... ILm(Enp1 <: < Em A Zo = n41 A- -) 


Since the set of quantified variables in 7 is disjoint from the set of quan- 
tified variables in w2, we can distribute the existential quantifiers over the 
conjunction %1 A v2, obtaining: 


Wy A We = Aro... dtp 5en41...dtm 

(to <- < In ANIn4q1 Ka < £m A Zo = To A Z0 = BAe.) 
Note that we can identify £o and £n4+1, obtaining: 
p1 Aypa = Axo... ILnILn42, -+ IEm 


(£o <+- < En A £o < Ep42 <t < Em A 


k m 
Zo = £o A ANG: = rj") A VAN ailzi)^ 
i=1 i=0,ifn+1 
m 
N Yule <y < ti > Bily)) AVy(@0 < y < tn42 > Bn42)) 
i=1,iŻżn+1 
ižn+2 


Now, to turn this formula into a disjunction of 4V-formulas, we consider 
all the possible interleavings of the variables that respect the two imposed 
orderings and explode the formula into a disjunction that consider each such 
interleaving. Let X = {xo,...,2%n,2n42,---;Lm} and let I be the set of all 
the permutations of X compatible with the orderings £o < --- < £n and 
Lo < n41 <: < £m. For any v E I, 7(0) = 0. Now, Yı A Yz becomes the 
disjunction of a set of 4V-formulas Yy, for each a € IT, defined as: 


We = AL_ (0) --- Lam) 
(x20) <ie < Lam) A 
k m 
zo = £o A AG = En(5/’)) A \ alzi) ^ 
i=1 i=0 


VAN Vy(taG—-1) < Y < Era > BF (y))) 
i=0 
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where $* suitably combines the formulas 6 according to the interleaving of 
the orderings of the original variables, and is defined as follows: 


i 


ar Bri) if both q(i),m(i— 1) < n or both q(i),n(i—1)>n 
Bri) ^ Bra-1) if a(i) <n and r(i—1) >n or vice versa 


Then we have that %1 A Y2 = Vrelz), which is a disjunction of Jv- 
formulas. 

. Let b(20,---;2m) = Izm+1 - (zi < 2m41 A b1(Z0,---;2%m;2%m+41)), for some 
0 <i < m. By the inductive hypothesis, this is equivalent to the formula 
FIzm41(2i < Zm+1 A Vi We (Z0,+-+; 2m; Zm+1)), where %k(20,..., Zm, čm+1) 
is a JV-formula, for each 0 < k < j, that is: 


j 
Zm41 + (25 Emi A VV (Sig: Itai WL Zoya Faatstosesniag))) 
k=0 


By distributing the conjunction over the disjunction, we obtain: 
J 
Imit (V (pee myi) MAG ay Ve Zore ermi Ti a) 
k=0 


and by distributing the existential quantifier over the disjunction, we have: 


j 


=] / 
V (Aem4i((Zi < Z2m4i) A Troe dan, (Z0,---,%m41;L0,--+,Lnz))) 
k=0 
Since the subformula z; < zm41 does not contain the variables £ọ,..., £n, 


we can push it inside the existential quantification, obtaining: 


VV Em 11. ILo.. ILny - ((z < Zm+1) N py (zo, .. -3 Zm+1; T0,- Eri) 


Now we divide in cases: 

(a) suppose that the formula WY! (zo, ..., Zm+1, £0,- -, ną) contains the fol- 
lowing conjuncts: 2; = 2, and 2m41 = %1,,,,, With l; = Im41. It holds 
that these formulas are in contradiction with the formula z; < Zm+1, 
that is: 


(zi < Zm41) A (ži = Tu) A (Zm+1 = Zimy) = 


Therefore, the disjunct (zi < zm+1) A %%(20;---, Zm+1; Z0; --;Zn,) is 
equivalent to L, and thus can be safely removed from the disjunction. 
(b) suppose that the formula Y} (zo, .--, Zm+1; £0; -, £n) contains the fol- 


lowing conjuncts: Zi = Zu, 2m+1 = Lin, (with l; Æ lm+1), and z,,,, < 
+++ < a ,,. As in the previous case, it holds that: 


(zi < Zm+1) ^ (zi = zu) ^ (zm+1 = Biss) ^ (Timigi Lots zq) aL 


Thus, also in this case, this disjunct can be safely removed from the 
disjunction. 
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(c) otherwise, it holds that the formula w},(zo,...,2%m+41,20)-++;@n,) COn- 
tains the following conjuncts: z; = 21,, Zm+1 = Tim, (with l; Æ lm+1), 
and x1, < + < 2j,,,,- Therefore, the subformula z; < %m41 is redun- 
dant, and can be safely removed from w},(Zo0,.--,2m+1,20,-++,%n,). The 


resulting formula is a 4V-formula. 


After the previous transformation, we obtain: 


AA 
VV (Azmi . Sao... .-datn, - Hy (Z0,---;2m+1;20,---;En,)) 
k=0 
Finally, since each formula w//(zo,..-,2m41,20,--+;Un,) contains the con- 


junct Z2m41 = Tı 
the formula: 


m41) We can safely remove the quantifier 3zm+1. We obtain 


VV (Ito Sa ie oe Chesca oes ey) 


which is a disjunction of 4V-formulas. 

Let @(Z0,.--,2m) = Vem41(2i < Zm+1 < 2) > $1(2Z0,---,%m;%m41)), for 
some 0 < i,j < m. By the induction hypothesis we know that ¢ is equivalent 
to a disjunction V, Yk where pp are SV-formulas, i.e., each Yp is of the form: 


mt+1 
Yk = Ixo, ..., Bn Go Sore < En A Zo = To A N C= 2u) 
l=1 


n 


J cular) A N Yulen <y < zi > Bily))) 


l=0 t=1 


We now note that we can suppose w.l.o.g. that the ordering constraint and 
the binding constraint of Yx imply that zi, zm+1 and zj are ordered con- 
secutively, i.e., zi < 2m+41 < Zj with no other variable in between. That is 
because otherwise the constraints would be in conflict with the guard of the 
universal quantification and the disjunct could be removed from the disjunc- 
tion. Take for example a disjunct of Yp with an ordering constraint of the 
type Zi < Zh < Zm+1; for some h. The existence of such a zp is not guaran- 
teed for each zm+41 between z; and z; because when zm+1 = % + 1 there is 
no value between z; and z; + 1 (we are on discrete time models). That said, 
we can now isolate all the parts of Yẹ that talk about z,,41, bringing them 
out of the existential quantification, obtaining Yk = 0, A Nk, where: 


On = zi < Zm+1 < 2% 
A a(zm+1) A Vy(zi < Y < Zm+1 > B(y)) A Yy(zm+1 < y < zi > B'(y)) 
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m 
Nk = Atty gti, Be (T0 <... < En A 20 = £o A NN (21 = u )^ 
l=1 


n n 
Noal) a N Yule <y < z > ily) 
1=0 l=1 
[Aum+1 l-1Aui 
luj 


Now, we have ¢ = V2m4i(Zi < Zm+1 < 2) => VŁ(0k A nk))- We can dis- 
tribute the head of the implication over the disjunction, and then over the 
conjunction, obtaining: 


o= Vem (\V (zi < Zm+1 < Zj `> Ox) AN (zi < Zm+1 < 25 > nk))) 
k 


In order to simplify the exposition, we now show how to proceed in the case 
of two disjuncts, which is easily generalizable. So suppose we have: 


(zi < Zm+1 < Zj > 01) A (zi < Spa < Zj > m) 
(zi < zm+1 < Zj > 02) A (zi < Zm+1 < Zj > Ne) 


Q = Vzm+1 (v 


Now we can a) distribute the disjunction over the conjunction (i.e., convert 
in conjunctive normal form in the case of multiple disjuncts), b) factor out 
the head of the implications and c) distribute the universal quantification 
over the conjunction, obtaining: 


Vem+1(2i < Zm+1 < Zj > 61 V 02) 

O ANS (2i < Zm+1 < Zj > 01 V n2) 
i AVem4i (Zi < Zm+1 < Zj > m V 02) 
NA VYzm+1 (2i < Zm+1 < 2p > M V n2) 


Now, note that 7, and no do not contain Zm+1 as a free variable, because we 
factored out all the parts mentioning zm+1 into 6; and 02 before. Therefore 
we can push them out from the universal quantifications, obtaining: 


Vem41 (2: < Zm+1 < Zj > 0i V 62) 
A Vzm+1 (ži < Zm+1 < Žj © 01) V 2 
A Vem-41 (2: < Zm+1 < Zj > 02) Vm 


S 
Il 


A Sdm < Zm+1 < 25) V nı V n2 


Now, note that ~3zm+1 (2i < Zm+1 < 27) is equivalent to z; = z; V zj = zi+1, 
which is the disjunction of two formulas that can be turned into 4V-formulas. 
Since both 7, and 72 are already 4V-formulas and since we already know how 
to deal with conjunctions and disjunctions of 4V-formulas, it remains to show 
that the universal quantifications in the formula above can be turned into 
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Av-formulas. Take V2m41(2i < Zm+1 < Zj > 01), ie.: 


Zi < Zm+1 < Zj 
A Q(2m-+1) 
AVy(zi<Yy < zm+1 > B(y)) 
NYy(zm+1 < y < zj > By) 


Vzm+1 Zi < Zm+1 < Zj = 


Note that the first conjunct of the consequent can be removed, since it is 
redundant. Now, this formula is requesting 6(y) for all y between z; and 
Zm+41, but with zm41 that ranges between z; and z; — 1, hence effectively 
requesting f(y) to hold between z; and zj. Similarly for 6’(y), which has to 
hold for all y between z; + 1 and z;. 

Hence, it is equivalent to: 


Zi = Zj 
Vz;=zi+1 


V Fania (zi < Ti+1 NVi41 = Zi + 1A Zj = Li41 +1A a(zi+1)) 
Li < Ti+1 < Lj—1 < Tj 
N zi = Ti N Zj = Tj 


A a(Tiz1) A alzi) 


V dae dejy1dej;1de; | AVy(ai < y < ti41 > L) 
A VYy(zj-1 < y < zj > L) 
N VYy(zi < y < zj-1 > ay) A B(y)) 
AVy (inn < y < £j > aly) A B'(y)) 


which is a disjunction of a JV-formula and others that can be turned into 
disjunctions of 4V-formulas. The reasoning is at all similar for Vzm41(zi < 
Zm+1 < Zj © 0, V b2). 


Any coSafety-FO formula can be translated into a disjunction of 3v-formulas by 
Lemma 5, and then to a coSafety-LTL(—X) formula by Lemma 4. Together with 
Lemma 3, we obtain the following. 


Corollary 1. [coSafety-FO]<® = [coSafety-LTL(—X)] <“ 


We 


are now ready to state the main result of this section. 


Theorem 1. [coSafety-LTL] = |coSafety-FO] 


Proof. We know that [coSafety-LTL] = [coSafety-LTL(—X)]<” - (2¥)” by Ob- 
servation 1 and Lemma 1. Since [coSafety-LTL(—X)]<* = [[coSafety-FO]<“ by 
Corollary 1, we have that [coSafety-LTL(—X)]<*” - (2%)” = [coSafety-FO]<¥ - 
(2~)”. Then, by Lemma 2 we have that [coSafety-FO]<“ -(2~)” = [coSafety-FO], 
hence [[coSafety-LTL] = [coSafety-FO]. 


Corollary 2. [Safety-LTL] = [Safety-FO] 
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4 Safety-FO captures LTL-definable safety languages 


In this section, we prove that coSafety-FO captures LTL-definable co-safety lan- 
guages. By duality, we have that Safety-FO captures LTL-definable safety lan- 
guages, and by the equivalence shown in the previous Section, this provides a 
novel proof of the fact that Safety-LTL captures LTL-definable safety languages. 
We start by characterizing co-safety languages in terms of LTL over finite words. 


Lemma 6. [LTL] M coSAFETY = [LTL] <” - (2”)” 


Proof. (C) By Proposition 2 we know that each language £ € [LTL] NcoSAFETY 
is definable by a formula of the form Fa where a € LTLp. Hence for each o € £ 
there exists an n such that o,n = a, hence Ojoj n H a. Note that o[n41,09] 
is unconstrained. By replacing all the since/ yesterday /weak yesterday operators 
in a with until/tomorrow/weak tomorrow operators, we obtain an LTL formula 
a” such that (Gjo n])”, 0 H a” (where o” is the reverse of øo). Since LTL captures 
star-free languages [12] and star-free languages are closed by reversal, there is 
also an LTL formula £ such that oj9),0 = 8. Hence £L = LS“(£) - 2¥)”, and 
we proved that [LTL] N coSAFETY C [LTL]<* . (2”)*. 

(2) Given £ € [LTL]<* - (2%), we know £ = L<” (8) - (2*)” for some LTL 
formula 6. Hence, for each ø € £ there is an n such that oj9,,),0 H 8. Since 
LTL captures star-free languages and star-free languages are closed by reversal, 
there is an LTL formula a” such that (o70,n))",0 H a”. Now, by replacing all 
the until /tomorrow/weak tomorrow operators in a” with since/ yesterday / weak 
yesterday operators, we obtain an LTLp formula a such that oj9 ,), = a. Hence, 
a is such that there is an n such that o,n = a, ie., o = Fa. Therefore, by 
Proposition 2, £ € [LTL] A coSAFETY, and this in turn implies that [LTL]<“ - 
(2¥)” C [LTL] N coSAFETY. 


Now, we show that, over finite words, universal temporal operators are unneeded. 


Lemma 7. [LTL]<” = [Safety-LTL]S® = [coSafety-LTL] <” 


Proof. Since Safety-LTL and coSafety-LTL are fragments of LTL, we only need 
to show one direction, i.e., that [LTL]S® C [Safety-LTL]<” and [LTL] S” C 
[coSafety-LTL]S”. At first, we show that universal temporal operators are not 
needed over finite words. For each LTL formula ¢, we can build an equivalent 
coSafety-LTL formula with only existential temporal operators. The globally op- 
erator can be replaced by means of an until operator whose existential part 
always refers to the last position of the word. In turn, this can be done with the 
formula XL, which is true only at the final position: 


Gd = oU ($ AXL) 


Similarly, the release operator can be expressed by means of a globally operator 
in disjunction with an until operator: 


p1 R b2 = Goz V ($2 U (Q1 A $2)) = (b2U (b2 A XL)) V (b2U (61 A ¢2)) 
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Hence [LTL]<“ = [coSafety-LTL]<“. Now, if we exploit the duality between the 
eventually/until and the globally /release operators, we obtain: 


Fo =¢R(dV XT) 
1U p2 = p2 R (b2 V XT) A Q2 R (%1 V 62) 


Hence [LTL]<” = [Safety-LTL] <”. 
Then, we relate coSafety-LTL on finite words and coSafety-FO. 
Lemma 8. [coSafety-LTL]<” - (2*)” = [coSafety-FO] 


Proof. (C) We have that [coSafety-LTL]<” = [LTL]<”% by Lemma 7, and this 
implies that [coSafety-LTL]<“% -(2~)” = [LTL] <” - (2~)”, and [coSafety-LTL]<* - 
(2*)” = [FO]<* - (2”)” by Proposition 1. Now, let ¢ € FO, and suppose w.l.0.g. 
that ¢ is in negated normal form. We define the formula ¢’(x,y), where x and 
y are two fresh variables that do not occur in ¢, as the formula obtained from 
@ by a) replacing each subformula of ¢ of type 4z¢, with dz(x < z A 41), 
and b) by replacing each subformula of ¢ of type Vzd1 with Vz(a < z < y > 
$1). Now, consider the formula Y% = dy(a < yA ¢’(a,y)). Note that w is a 
coSafety-FO formula. When interpreted over infinite words, the models of 7 are 
exactly those containing a prefix that belongs to £<“(¢), with the remaining 
suffix unconstrained, that is L(Y) = L<“(¢)-(2¥)”, hence [FO]<* - (2¥)” c 
[coSafety-FO], and this implies that [coSafety-LTL]<“ - (2~)” C [coSafety-FO]. 

(>) We know by Lemma 2 that [coSafety-FO] = [coSafety-FO]<* - (2~)”. 
Since coSafety-FO formulas are also FO formulas, we have [coSafety-FO] C 
[FO] <“ - (2”)”. By Proposition 1 and Lemma 7, we obtain that [coSafety-FO] C 
[coSafety-LTL]<* - (2¥)¥. 


We are ready now to state the main result. 
Theorem 2. [LTL] N coSAFETY = [coSafety-FO] 


Proof. We know that [LTL] NcoSAFETY = [LTL]<“ - (2”)” by Lemma 6. Then, 
by Lemma 7 we know that [LTL]<% = [coSafety-LTL]<“, and this in turn im- 
plies that [LTL]<” - (2”)” = [coSafety-LTL]<“ - (2”)”. Since [coSafety-LTL]<* - 
(2¥)” = [[coSafety-FO] by Lemma 8, we conclude that [LTL] N coOSAFETY = 
[coSafety-FO]. 


This result together with Theorem 1 allow us to conclude the following. 
Theorem 3. [Safety-LTL] = [LTL] N SAFETY 


Note that by Observation 1 and Lemma 1 on one hand, and by Lemmas 6 
and 7 on the other, the question of whether [Safety-LTL] = [LTL] SAFETY can 
be reduced to whether [coSafety-LTL]<“ -(2”)” = [coSafety-LTL(—X)]<*-(2”)*. 
If coSafety-LTL and coSafety-LTL(—X) were equivalent over finite words, this 
would already prove Theorem 3. However, we can prove this is not the case. 


Theorem 4. [coSafety-LTL]<” 4 [coSafety-LTL(—X)]<” 
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Proof. Note that in coSafety-LTL(—X) we only have existential temporal modali- 
ties and we cannot hook the final position of the word without the weak tomorrow 
operator. For these reasons, given a coSafety-LTL(—X) formula ¢, with a simple 
structural induction we can prove that for each ø € (2%)*+ such that c E 4, it 
holds that ao’ = @ for any o’ € (2¥)*, i.e., all the extensions of ø satisfy ¢ 
as well. This implies that £<“(@) is either empty (i.e., if ọ is unsatisfiable) or 
infinite. Instead, by using the weak tomorrow operator to hook the last position 
of the word, we can describe a finite non-empty language, for example as in the 
formula ¢ = aA X(aA XL). The language of ¢ is L(¢) = {aa}, including exactly 
one word, hence £(¢) cannot be described without the weak tomorrow operator. 


Note that Theorem 4 does not contradict Theorem 3, that is, it does not 
imply that [coSafety-LTL]< - (2”)” # [coSafety-LTL(—X)]<* - (27)“. For exam- 
ple, consider again the formula a A^ X(a A XL). It cannot be expressed without 
the weak tomorrow operator, yet it holds that: L<“ (a A X(a A XL)) + (2%)” = 
LA Xa): (27). 


5 Conclusions 


In this paper, we gave a first-order characterization of safety and co-safety lan- 
guages, by means of two fragments of first-order logic, Safety-FO and coSafety-FO. 
These fragments of $1S/FO] provide a very natural syntax and are expressively 
complete with regards to LTL-definable safety and co-safety languages. 

The core theorem establishes a correspondence between Safety-FO (resp., 
coSafety-FO) and Safety-LTL (resp., coSafety-LTL), and thus it can be viewed 
as a special version of Kamp’s theorem for safety (resp., co-safety) properties. 
Thanks to these new fragments, we were able to provide a novel, compact, and 
self-contained proof of the fact that Safety-LTL captures LTL-definable safety lan- 
guages. Such a result was previously proved by Chang et al. [5], but in terms of 
the properties of a non-trivial transformation from star-free languages to LTL by 
Zuck [21]. As a by-product, we provided a number of results that relate the con- 
sidered languages when interpreted over finite and infinite words. In particular, 
we highlighted the expressive power of the weak tomorrow temporal modality, 
showing it to be essential in coSafety-LTL over finite words. 

Different equivalent characterizations of LTL are known, in terms of (i) first- 
order logic, (ii) regular expressions, (iii) automata, and (iv) monoids (see the 
summary by Thomas in [19]). This work focuses on the first item, but for LTL- 
definable safety languages. A natural follow-up would be to investigate the other 
items, looking for what kind of automata (resp., regular expressions, monoids) 
captures exactly safety and co-safety LTL-definable languages. While on finite 
traces simple characterizations in terms of automata and syntactic monoids exist, 
the infinite-traces scenario is more complex: there exists a characterization of 
LTL in terms of counter-free automata [13] and the one for safety w-regular 
languages seems not to be difficult (see e.g., terminal automata [4, 18]), but 
their combination requires to have a canonical (minimal) representation of a 
(Muller/Rabin/Streett) automata corresponding to any w-regular language. 
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Abstract. We show that the existence of a first-order formula separa- 
ting two monadic second order formulas over countable ordinal words is 
decidable. This extends the work of Henckell and Almeida on finite words, 
and of Place and Zeitoun on w-words. For this, we develop the algebraic 
concept of monoid (resp. w-semigroup, resp. ordinal monoid) with aperio- 
dic merge, an extension of monoids (resp. w-semigroup, resp. ordinal 
monoid) that explicitly includes a new operation capturing the loss of 
precision induced by first-order indistinguishability. We also show the 
computability of FO-pointlike sets, and the decidability of the covering 
problem for first-order logic on countable ordinal words. 
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1 Introduction 


In this paper, we establish the decidability of FO-separability over countable 


ordinal words: 


Theorem 1. There is an algorithm which, given two regular languages of count- 


able ordinal words K, L, either: 


— answers ‘yes’, and outputs an FO-separator which is an FO-formula p which 


separates K from L, i.e. such that u 
all v € L, or 


= y for allu € K, and v = nọ for 


— answers ‘no’, and outputs a witness function, i.e., a computable function 
taking as input an FO-sentence y and returning a pair of words (u,v) E€ Kx L 


such that u = y if and only if v = ọ. 
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The decidability of FO-separability was previously only known for finite 
words [19,2,25,17] and for words of length w [25]. Countable ordinal words are 
sequences of letters that are indexed by a countable total well-ordering, i.e., 
up to isomorphism, by a countable ordinal. There is a natural notion of regu- 
lar languages over these objects which can be equivalently described in terms of 
logic (either monadic second-order logic or weak monadic second-order logic), au- 
tomata (Biichi introduced a notion of automata for countable ordinal words [13], 
which was studied in more detail by Wojciechowski [39] and which generalises 
Choueka’s automata [15] for words of length at most w”—the fact that Choueka’s 
automata can be seen as a restriction of Biichi’s automata for countable ordinals 
was proven by Bedon [5]), rational expressions (introduced by Wojciechowski 
[40]), or algebra (recognisable by finite ordinal monoids—introduced by Bedon 
and Carton [8]). A detailed survey of the equivalence between all these notions 
can be found in Bedon’s thesis [6]. 

Our algorithm follows the approach initiated by Henckell, and constructs the 
FO-pointlike sets in an ordinal monoid that recognises the two input languages 
simultaneously. FO-pointlike sets are subsets of a monoid whose elements are 
inherently indistinguishable by first-order logic. Our completeness proof for the 
algorithm follows a scheme similar to the one followed by Place and Zeitoun in the 
context of finite and w-words [25], which was inspired by Wilke’s characterisation 
of FO-definable languages [38]. We had to make several substantial changes 
to this approach for the proofs to generalize from finite and w-words to the 
setting of countable ordinal words. A seemingly slight modification of the notion 
of saturation (Definition 8) allows for a careful redesign of several of the core 
lemmas in the proof of completeness, and in particular the construction of an 
FO-approximant in Section 5 below. 


Related work This work lies in a line of research that aims to obtain a decid- 
able understanding of the expressive power of subclasses of the class of regular 
languages. The seminal work in this area is the Schiitzenberger-McNaughton- 
Papert theorem [34,22] which effectively characterizes the languages of finite 
words definable in first-order logic as the ones which have an aperiodic syntactic 
monoid. This theorem was at the origin of a large body of work that studies 
classes of languages through the corresponding classes of monoids, including for 
instance Simon’s result characterising piecewise-testable languages via J-trivial 
monoids [386]. FO-pointlike sets are also known in the literature as aperiodic 
pointlike sets, and were first studied and shown to be computable by Henckell 
[19], in the context of the Krohn-Rhodes semigroup complexity problem. The 
computability of pointlike sets was shown to be equivalent to the decidability of 
the covering problem by Almeida [2]. Alternative proofs of separation and cov- 
ering problems for FO were given recently in [25,17], and, ever since Henckell’s 
work, the computability of FO-pointlike sets was also extended to pointlike sets 
for other varieties—for example [4] for the variety of finite groups, [3] for the 
variety of J-trivial finite semigroups and [18] for varieties of finite semigroups 
determined by a variety of finite groups; also see [18] for further references. Place 
and Zeitoun recently used pointlike sets, in the form of covering problems [27], 
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to resolve long-standing open membership problems for the lower levels of the 
dot-depth and of the Straubing-Thérien hierarchies [26,28,29]. 

Another, orthogonal, line of research consists in the extension of the notions 
of regularity (logic/automata/rational expressions/algebra) to models beyond 
finite words. This is the case for finite or infinite trees [30]. In this paper, we are 
concerned with words that go beyond finite, such as words of length w [12,37,24], 
of countable ordinal length [6,5], of countable scattered? length [31,32], or of 
general countable length [30,35,14]. 

These two branches have also been studied jointly, and first-order logic was 
characterised on words of length w [23], of countable ordinal length [7], of count- 
able scattered length [10] (and in [9] for first-order augmented with quantifiers 
over Dedekind cuts), and for words of countable length [16] (as well as other 
logics [16,21,1]). Prior to the current work, the questions of computing the FO- 
pointlike sets and deciding FO-separation for languages of infinite words had 
only been investigated for words of length w [25]. 


Structure of the document In Section 2, we introduce important definitions for 
manipulating infinite words in algebraic terms (ordinal monoids and their pow- 
erset), and in logical terms (first-order logic and first-order definable maps). In 
Section 3, we describe the algorithm, and in particular its core, a saturation 
construction. The correctness of the algorithm is then proved in Section 4, and 
the completeness in Section 5. In Section 6, we show two stronger results that 
arise from the same technique: the decidability of the covering problem and the 
computability of pointlikes. Section 7 concludes. 


2 Preliminaries 


2.1 Ordinals 


A linear ordering is a set equipped with a total order. It is countable (resp. 
finite) if the underlying set is countable (resp. finite). Let a and £ be two linear 
orderings. A morphism from a to 8 is a monotonic function, and an isomorphism 
between a and £ is a bijective morphism. The (ordered) sum of two linear orders 
a and p is denoted by a + p and is defined, as usual, on the disjoint union of the 
linear orders a and 8, by further postulating that every element of a is below 
every element of 8. The product of two linear orders is denoted by a - 8 and is 
defined to be the right-to-left lexicographic ordering on the Cartesian product 
of the two orders, i.e., (x,y) < (a’,y’) iffy < y' or y = y' and z < a’. The n-fold 
product of a with itself is denoted by a”. A linear ordering is well-founded when 
it does not contain an infinite strictly decreasing sequence. An ordinal is a well- 
founded linear ordering, considered only up to isomorphism of linear orderings. 
The empty linear ordering, the linear ordering with a single element and the 
linear ordering of natural numbers are all ordinals, and are denoted 0, 1 and w, 
respectively. The class of all ordinals is itself totally ordered by the embedding 


3 A linear ordering is scattered if it does not contain a dense subordering. 
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relation: a < 6 means that there exists an injective monotonic function from a 
to 8. The relation < denotes the strict ordering associated with <. An ordinal 
is a successor ordinal if it has a maximum, and a limit ordinal otherwise. 


2.2 Ordinal words 


Given a set X, a word w over X is a map from some linear ordering to X. 
The linear ordering is called the domain of w, and denoted dom(w). A word is 
countable (resp. finite, resp. scattered, resp. w-word), if its domain is countable 
(resp. finite, resp. scattered, resp. w). In this paper, a countable ordinal word 
is a word that has a countable and ordinal domain (hence, the countability 
assumption in silently assumed throughout the paper). The set of all finite words 
over X is denoted by X*, and the collection of all countable ordinal words over 
X is denoted by X°'¢. Similarly, the set of finite non-empty words is denoted 
by X* and the collection of non-empty countable ordinal words is denoted by 
Xod+, The concatenation of two countable ordinal words u and v over X is the 
word u-v : dom(u) + dom(v) > X over X defined by (u-v), := u, if ı € dom(w) 
and (u-v), := v, if ı € dom(v). If w is a countable ordinal word, we define its 
omega iteration, denoted by w”, as the word with domain dom(w) - w defined 
by (w”)u,n) == w, for every 6 E€ dom(w) and n € w. For example, if a,b € X, 
then the omega iteration (ab)” of the two-letter word ab is the word ababab--- 
with domain 2-w=w. 


2.3 Ordinal monoids 


A semigroup is a set S equipped with an associative binary product, denoted by -. 
A monoid is a semigroup with a distinguished neutral element for the product, 
denoted as 1. An element x € S is called idempotent if z? = x. In a finite finite 
semigroup S, every element x € S has a unique idempotent power, denoted byt 
xidm, which we recall is the limit of the ultimately constant series n +> x2”. 
We also denote xi4°™*+*, for k integer, the limit of the ultimately constant series 
neat, Note that «'4™ is the identity element of the unique maximal group 
inside the subsemigroup generated by x. A finite semigroup is aperiodic (we 


idem _ gidem+1 for all of its elements a. 


equivalently write group-trivial) if a 

We now extend the notion of monoid to obtain an algebraic structure in which 
one can evaluate a product indexed by any countable ordinal. Let X be any set, 
and a a countable ordinal. For any word (w,),<q over the set 3°? of countable 
ordinal words—i.e. (w,),<q is a word whose letters are words over X— we define 
flat(w, | ¿ < a) to be the word over X with domain }`, <œ dom(w,), which has 


the letter (w,), € X at position (,«), for every 1 € a and Kk € dom(w,). 


4 The standard notation is x”, but this notation conflicts with the linear ordering w. 
It is sometimes denoted x” or x’ when in the context of infinite words. We find the 
notation 2'4°™ more self-explanatory. 
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Definition 2. An ordinal monoid? is a pair M = (M,7) where M is a set and 
a: M4 — M is a function, called generalised product, such that: 


— n(x) = zx for every x E€ M, and 
— 1((t(ti)).<o) = W(flat((u,),<a)) for every word (u,)i<a E€ (More)r4. 


The second axiom is called generalised associativity. An ordinal monoid mor- 
phism is a map between ordinal monoids preserving the generalised product. 
An ordinal monoid is ordered if it is equipped with an order < that makes 7 
monotonic, i.e. such that u < v implies m(u) < m(v), in which < is extended 
letter-by-letter to words in M°"¢, 

Given a set X (the alphabet), an ordinal monoid M = (M,7), a letter- 
to-letter map o: X — M extended to a4: YI > Me, and F C M, the 
language L C X4 recognised by (M,c, F) is 


L={ue Le : g(o%4(u)) € F}, 


and a language L C X4 is called recognisable if it is recognised by some such 
tuple (M,o, F). We recall that recognisable languages of ordinal words coincide 
with the ones definable in monadic second-order logic, or definable by suitable 
automata. These languages are called regular. Example 9 below will illustrate 
this concept. 

We now recall a finite presentation of finite ordinal monoids (originally for 
ordinal semigroups), first given by Bedon [6] by extending a similar result es- 
tablished by Perrin and Pin [24, prop II.5.2] for w-semigroups®. Let (9,7) be an 
ordinal monoid. We define the constant 1 and two functions -: S x S > S and 
—2 : S > S by 

w times 


1:=7(e) Ly = 7 (xy) and g= a(g) = n(Zan-) ; 


The following proposition lets us interchangeably regard an ordinal monoid M 
as either a pair (M, 7) or as a quadruple (M,1,-,—“), that we refer to as its 
presentation. 


Proposition 3 ([6, Thm. 3.5.6], originally for ordinal semigroups). In 
a finite ordinal monoid the generalised product is uniquely determined by the 
operations 1,- and —®. 

An important construction on which our proof relies is the power ordinal 
monoid: given an ordinal monoid (M, 7r), we equip the powerset P(M) of M 
with a generalised product m : P(M)™1 + P(M) defined by 


W(X, Jcr) = {t((t.).en) | z, € X, for alls < K} 
for all words (X,),<k € (P(M))™®. 


5 The object should probably be called a ‘countable ordinal monoid’ since its intent is 
to model countable ordinal words. However the naming becomes clumsy for ‘finite 
countable ordinal monoids’... 

ê The finitary reprensation of w-semigroups is usually called a Wilke algebra, which is 
the algebraic structure introduced by Wilke in [37] to recognise regular w-languages. 
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Observe that if M is a finite ordinal monoid, then so is P(M). We can 
compute a finite representation of the power ordinal monoid P(M) of M from 
a finite representation of M. Indeed, 


1={1}, X-Y={a-y|rxeEXx,yeY}, and Xe = {uvt | u,v Ee Xt} 


for all X,Y € P(M). The two first properties are trivial while the third one can 
be proven using the infinite Ramsey’s theorem—this is a classical argument used 
to give finite representation of infinite structures, see e.g. [24, Theorem II.2.1]. 
Note that this power ordinal monoid is indeed an ordinal monoid. It is even an 
ordered ordinal monoid when equipped with the inclusion ordering. 


2.4 First-order logic 


Over a fixed (finite) alphabet X, we define the set of first-order logic formule 
or FO-formule for short, by the grammar: 


r.p | r.y | pAp | pve | œ | a<y | alz) 


6 
1i 
Lu 


where x,y range over some fixed infinite set of variables, and a over X. Free 
variables are defined as usual, and an FO-sentence is a formula with no free 
variables. In our setting, a model is a countable ordinal word, and a valuation 
over this model is a total map from variables to the domain of the word. We 
define, for any word w and any valuation v, the semantic relation w,v = ọ of 
first-order logic on countable ordinal words by structural induction on the FO- 
formula y, by interpreting variables as positions in the word and propositions of 
the form a(x) as “the letter at position x is an a”. If p is an FO-sentence, then 
the semantics of y over a word w does not depend on the valuation, and thus 
we write w = y or w | y. When w H ọ we say that w satisfies p, or also that 
p accepts w. 

A language L C ¥7°"4 is said to be FO-definable if L = {w € 3% | w H vy} 
for some FO-sentence y. For example, the language of words over the alphabet 
{a,b,c} such that every ‘a’ is at a finite distance from a ‘b’ is defined by the 
FO-sentence Vx.a(x) + Sy.b(y) A finite(x, y), where: 


isSuccessor(z) := dy.y < z A (Yx.xz < z > x <S y) 


finite(x, y) := Yz.(x < z Sy Vy < z S x) > isSuccessor(z) . 


Bedon [7] extended the Schützenberger-McNaughton-Papert theorem [34,22] 
to countable ordinal words. 


Proposition 4 (Bedon’s theorem |7, Theorem 3.4]). A language of count- 
able ordinal words is FO-definable if and only if it is recognised by a finite ape- 
riodic ordinal monoid. 


Let L C X4, A function f : L —> X whose codomain X is a finite set is said 
to be FO-definable when every preimage f~!{z], with z € X, is an FO-definable 
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language. Note that if f is FO-definable, then its domain L is necessarily an 
FO-definable language. 


For example, the function X* + Z/2Z, sending a word w € X* to its length 
modulo 2, is not FO-definable. On the other hand, for a fixed letter a € X, the 
total function sending a word w € 34+ to T if w contains the letter ‘a’ and to 
L otherwise is FO-definable. 


A useful tool to manipulate words is the notion of condensation — see, e.g., 
[33, §4] for an introduction to the subject. A condensation of a countable ordinal 
q is an equivalence relation ~ over œ whose equivalence classes are convex. Note 
that the quotient of an countable ordinal by a condensation is still a countable 
ordinal. 


A condensation formula (x,y) is a formula which is interpreted as a con- 
densation of the domain over all countable ordinal words, i.e. for every word 
w E€ XS, the relation defined on dom(w) by t ~ẹ « if and only if w,[x@ WH 
L, y ++ k] H v(x, y) is a condensation. A condensation formula (x,y) induces a 
map: 


ĝ: yord zy Crusa ee 
where for every u € Xd, (u) is a word whose domain is dom(w)/~,, and 
such that for every class I € dom(w)/~ , the I-th letter of (u) is the word 
(u,)er hence flat((u)) = u. 

For example, the formula finite(x, y) is a condensation formula, called finite 
condensation. The function finite: X74 — (2°°4)°'4 that it induces sends the 
word ababab---cdcdcd-+- abe € ©°4 of length w - 2 + 3 to the 3-letter word 
(ababab - - - )(cdeded- -- )(abc). Observe that for every word w € X°"4, every letter 
of ÊÔfnite(w) is a word of length w, except possibly for the last letter (if the word 
has one), which can be finite. 

Given two FO-definable functions—one that describes “local transformations” 
and another that described how to glue these local transformations together— 
the following lemma allows us to build a new FO-definable function. It is one of 
the key ingredients in our proof of Theorem 1. 


Lemma 5. Let A, B,C be finite sets. Let p(x, y) be a condensation FO-formula 
over A, let f: A+ — B and g: B™4 — C be FO-definable functions. Then, 
the map 


9% f: A™ > C 


usg( I rew 


icdom(ĝ(u)) 


is FO-definable. 
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3 The algorithm 


In this section we describe the algorithm behind Theorem 1. We first introduce 
the key notion of saturation in Section 3.1, and formalise the algorithm in Sec- 
tion 3.2. 


3.1 The saturation construction 


Until the end of Section 3.1, we fix a finite ordinal monoid M = (M,.-,1, —%). 
The saturation construction is at the heart of the algorithm, both in this pa- 
per, and in previous work. We introduce the necessary definitions. Note however 
that in our case, we do not close the definition under subsets as is usually done. 
This change, which may look minor, is in fact key for our proof to go through in 
the case of countable ordinals, and we find it also simplifies some points in the 
setting of finite words. We first recall an essential operation on P(M) that we 
denote —®"P. Applied to a set X C M, it computes the union of all the elements 
that belong to the maximal group in the subsemigroup of P(M) generated by X. 


Definition 6. Let X C M. Define 


X8P — U yxidem+k _* N U x”, 


kEeN nEN m>n 


Note that the x equality holds: Left to right inclusion comes from the fact that 
Xidem+k — X™ holds for infinitely many values of m, while the other inclusion 
stems from the fact that X™ can be written as Xide™m+k for some k whenever m 
is sufficiently large. 

Some important properties of this operation are the following. 


Lemma 7. The operation —®P is monotonic, and for all A,B C M, and all 
integers k, 

Aidemtk ‘a ASP, (A ‘ B)sP =A 4 (B 7 A)eP $ B f 
and ASP . ASP — (AstP)erP — Ą8'P, 


The core of the algorithm computes the closure under —®"? and all the oper- 
ations of the algebra of the images of the letters. 
Definition 8. Let A C P(M). The set (A)®P:°°4 C P(M) is defined to be the 
least set containing A, {1}, and closed under -, 8°? and 2.7 

This definition is close in spirit to what is called saturation in previous works, 
with the difference that we do not take the downward closure, and that we close 
under the operation —“. Despite this difference, we sometimes call (A)®P:°'4 the 
saturation. 

Observe that the ordinal monoid M is aperiodic if and only if 


({{z} | z Myer! = {fa} | z € M}. 


T Recall that we showed that in a power ordinal monoid, the operation —“ is com- 
putable. 


272 T. Colcombet et al. 


3.2 The algorithm 


We are now ready to describe the core of the algorithm that is claimed to exist 
in Theorem 1. Let K and L be two regular languages of countable ordinal words 
over the alphabet X. The algorithm is: 


1. Let M, o, Fx, Fr be such that K is recognised by (M,o, Fx) and L by 
(M, oO, Fy). 

2. Compute Sat := ({{o(a)} | a € XPH (inside P(M)). 

3. If Fe NX A@ and Fr N X # Ø for some X € Sat, answer ‘no’. Otherwise 
answer ‘yes’. 


1s Ps à 1 a aa a” aa a”aa 
eC 

group 1 1 a aa a” aa a”aa 

| Z/2Z w w w 
t; a a aa a a” aa a”aa 
me aa aa a aa a” aa a”aa 
KS a” a” aa aaa a” a”a a”aa 
a”a aa aaa aa a” aa a”aa 
a”aa | aaa aa aaa a” aa a”aa 

aaüy a del az —2 1 a” a” a” a” a” 


(Ha) = {{1}, {a}, {aa}, {a, aa}, {a°}, {aa}, {aaa}, {aa, a” aa}} 


Fig. 1. Egg-box diagram of a finite ordinal monoid M recognising J, K and L (left), 
multiplication table and w-iteration of M (right) and saturation (bottom). 


Example 9. We illustrate the saturation construction and the algorithm on the 
following three languages over the singleton alphabet {a}: 


J = {infinite words whose longest finite suffix has even length}, 
K = {infinite words whose longest finite suffix has odd length}, 
and L={ words that do not have a last letter}. 


It is classical that J and K are not FO-definable, while L is defined by the 
formula Vz. Jy.y > x. We can build a finite ordinal monoid M recognising all 
three languages: it has six elements, 1, a, aa, a”, a”a and a“ aa. Its presentation 
its described Figure 1. Naturally, the letter a is mapped to o(a) = a. Then 
J, K and L are recognised by F; := {a”,a“aa}, by Fx := {a%a} and by 
Fr := {1,a”}, respectively. 

The languages K and L are FO-separable: in fact L is an FO-separator of 
K and L. On the other hand, J and K are not FO-separable, as witnessed 
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by the saturation algorithm. Indeed, the saturation ({{o(a)} | a € D})srPord 
contains all singletons, and furthermore {a,aa} = {a}8"P. As a consequence, it 
also contains {a”a, a” aa} = {a} - {a, aa}. This last set intersects both Fy and 
Fr. 


The rest of the paper is dedicated to establishing the validity of this approach. 
In Section 4, we prove Proposition 12 stating that if the algorithm answers ‘no’, 
then the languages cannot be separated, as described in Theorem 1. In Section 5, 
we prove Corollary 16 stating that if the algorithm answers ‘yes’, then it is 
possible to construct an FO-separator sentence as described in Theorem 1. In 
Section 6, we shall package the results of Sections 4 and 5 differently, concluding 
that we have in fact computed the pointlike sets, and that we can also decide 
the more general covering problem. 


4 When the algorithm says ‘no’ 


In this section, we establish the correctness of the algorithm, i.e., when the al- 
gorithm answers ‘no’, we have to prove that the two input languages cannot 
be separated by an FO-definable language, and that we can produce a witness 
function. This is established in Proposition 12. The proof follows standard ar- 
guments. 

The quantifier depth, a.k.a. quantifier rank, of an FO-formula is the maximal 
number of nested quantifiers in the formula. Two words u,v € X4 are said 
to be FO,-equivalent, denoted by u =o, v, if every FO-sentence of quantifier 
depth at most k accepts u if and only if it accepts v. 


Proposition 10. Let k EN. 


— Foru,u’',v,v' € X9, ifu=ro, u’ and v =po, v then uv =ro, u'r’, 
— for all 5°°4-valued sequences (Un)nen and (Un)nen, if Un =FO, Un for all 
n € N, then flat(un | n € N) =ro, flat(un | n € N), and 


— for alln > 2* — 1, for allu € X™Ì, u” =po, utt, 


This can be proved, for example, by using Ehrenfeucht-Fraïssé games—see 
e.g. [33, Lemma 6.5 & Corollary 6.9] for a proof of the first and third items ; 
the proof of the second item is similar®. Note that the first two items are also 
immediate corollaries of the Feferman-Vaught theorem [20, Theorem 1.3]. Note 
that the third property can be used to prove that every FO-definable language 
is recognised by an aperiodic finite ordinal monoid—this is the easy direction of 
Bedon’s theorem [7]. 

Throughout the rest of this section, we fix K and L, two regular languages of 
countable ordinal words over an alphabet X. Recall that the algorithm computes 
the subset Sat := ({{a(a)} | a € X} of P(M), where M is a finite ordinal 
monoid recognizing both K and L. 


8 Moreover, note that the first item can be deduced from the second item by taking 
Un = Un = € for n> 2. 
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We begin with a lemma which states that to all sets that belong to Sat 
can be effectively associated witnesses of indisinguishability (we shall see in 
Proposition 30 that what we have proved is that the elements in Sat are pointlike 
sets). 


Lemma 11. There exists a computable function which takes as input a number 
k € N and an element X € Sat, and produces an X -indexed sequence of ordinal 
words (Ux)acx € (X%9)* such that, 


— r(o"4(uz)) = x for all x € X, and 
— Ur =FO, Ue’ for all z,x2' € X. 


The proof is by structural induction on the definition of Sat, making use of 
the two first items of Proposition 10 for composing witnesses, and of furthermore 
the third item for treating the —®™P operation. 

From the above lemma, one can easily deduce that when the algorithm an- 
swers ‘no’, there is indeed an obstruction to the fact that K and L can be 
FO-separated. 


Proposition 12. Assume that the algorithm answers ‘no’ when run with input 
languages K and L. Then there is a witness function which computes, for any 
FO-sentence y, a pair of words (u,u’) E€ K x L such that u = ọ if and only if 
wu’ = ọ. In particular, K and L cannot be FO-separated. 


Proof. Since the algorithm answered ‘no’, pick a pair (x, 2’) € Fg x Fy such that 
x,x' € X for some X € Sat. Now, for any FO-sentence y, using the function of 
Lemma 11 with k the quantifier depth of y, we can compute a sequence (Uz)cex 
of ordinal words. Now define u := us and u’ := ux. Then u =fo, wu’, so that 
u = y if and only if u’ = y. Also, r(o%4(u)) = x € Fg and r(o%4(u')) = 2’ € 
Fr,sou€ K andw’ €L. 


Example 13 (Continuing Example 9). Recall that J and K are not FO-separable. 
Because of the set {a”a,a”aa} € ({a(a) |a € L})#P-'4, the algorithm outputs 
‘no’, and can return, to witness the FO-inseparability of the two languages the 
computable map y ++ (a@a?"+1, a#a?"+?) € J x K, where k denoted the quan- 
wg" + = wn 2+2 


tifier depth of y. To prove that a =po, aa , one can simply use the 


first and third items of Proposition 10. 


5 When the algorithm says ‘yes’ 


We now establish the completeness part of the proof of the main theorem, The- 
orem 1. The goal of this proof is to establish that if the algorithm answers ‘yes’, 
it is indeed possible to produce an FO-separator (Corollary 16). 

This is the part of the proof that differs most substantially from previous 
works on separation. In Section 5.1, we abstract the question with the notion of 
ordinal monoids with merge, and we introduce the notion of FO-approximants 
which are FO-definable over-approximations of the product. The key result, 
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Lemma 15, states their existence for all finite ordinal monoid with merge. Corol- 
lary 16 follows immediately. The proof of Lemma 15 is then established in Sec- 
tion 5.2 for words of finite or w length. Building on these simpler cases, the 
general case is the subject Section 5.3. 


5.1 Merge operators and FO-approximants 


We abstract in this section the ordinal P(M) equipped with the —%"P operator 
into a new algebraic structure. A finite ordinal monoid with merge M = (M,1,< 
,%,8P ) consists of: 


— a presentation of an ordered ordinal monoid (M,1,<,-,“), together with 
— a monotonic merge operator —®P : M — M such that for all a,b E€ M, and 
all integers k, 


qidemt+k < a"? , (gee = a; 


aFP gP = (geP jer = aP and (a: b)®P =a-(b- a)? -b. 
The following lemma is an immediate consequence of Lemma 7. 


Lemma 14. Both (P(M), {1},¢,-,%,2P ) and (Sat, {1}, C,-,% 2"? ) are ordinal 
monoids with merge. 

The idea behind ordinal monoids with merge is that not only there is a 
product operation as for every ordinal monoid, but also an FO-definable over- 
approximation for it. This is the concept of FO-approximant that we introduce 


now. Given a an FO-definable language L C M°'4, an FO-approximant of 7 
over L is an FO-definable map p: L + M such that: 


m™(u) < plu), for all u € L. 


The key result concerning ordinal monoids with merge is the existence of a total 
FO-approximant: 


Lemma 15. There is an FO-approrimant p over M° for all ordinal monoids 
with merge M. 


An example of an FO-approximant can be found in Example 26. Before 
establishing Lemma 15, let us explain why it is sufficient for concluding the 
proof of Theorem 1 in the case the algorithm answers ‘yes’. 


Corollary 16. Ifthe algorithm answers ‘yes’, there exists an FO-separator. 


Proof. By Lemmas 14 and 15, there exists an FO-approximant p : A? — 
(A)sP-rd over the power ordinal monoid P(M), where A = {{a(a)} | a € X}. 
Now define the language 


S := {ue X” | p(6%4(u))N Fe # Ø} 
where 6°" (u) := ({0 (u:i) }Jicdom(u) € A”? for all ue T°. 
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Note first that since p is FO-definable, this language is FO-definable. Let us 
show that it separates K from L. 

For every u € K, Fg 3 r(o%4(u)) C p(a4(u)), and as a consequence 
p(a"4(u)) O Fx # Ø. We have proved K C S. 

Conversely, consider some u € L. We have Fr 3 1(a°"4(u)) € p(a%4(u)) € 
(AyePord and thus p(a°4(u)) A Fr # Ø. Since the algorithm returns ‘yes’, this 
means that there is no set in (A)8"P-°'¢ that intersects both Fx and Fy. In our 
case, this means that p(¢°°¢(u)) N Fg = Ø, proving that u ¢ S. We have proved 
LAS =Ø. 

Overall, S is an FO-separator for K and L. 


Remark 17. Notice how the “difficult” implication of Bedon’s theorem (Propo- 
sition 4) can be easily deduced from Lemma 15°: recall that this implication 
consists in showing that a regular language L C 4, recognised by some 
triplet (M,o, F) with M is aperiodic is definable in first-order logic. Indeed, 
by aperiodicity of M, the operation 8P applied to a singleton {a} yields the sin- 
gleton {aid¢™}. Hence, the set ({{a(a)} | a € XHEPI = {{roa™4(u)} | u € 
Xd} consists only of singletons, and as a consequence, all FO-approximants 
p (and in particular the one constructed in Lemma 15) maps a word u to 7(u). 
Hence, 7 is an FO-definable map, and thus L is an FO-definable language. 


The rest of this section is devoted to establishing Lemma 15. The construction 
is based on subresults showing the existence of FO-approximants over subsets 
of M°"4; first for finite and w-words in Section 5.2, and finally for words of any 
countable ordinal length in Section 5.3. But beforehand, we shall introduce some 
more definitions and elementary results. 

In what follows we use the notation (—)2"P-°'¢ from Definition 8, interpreted 
in a generic ordinal monoid with merge, as well as some variants. Let A C M. 
We define (A)* as the closure of A under -, (A)®"P* as the closure of A under - 
and —8"P, and (A)8P* as (A)8*P+ U{1}. We define (A)8P:°r4+ as the closure of A 
under -, 8P and 2. Note that thanks to the identities of ordinal monoids with 
merge, we have (A)8P-ord — (A)srp-ord+ U {1}, Moreover, we have the following 
identities!°: 


Proposition 18. Let M be an ordinal monoid with merge. For every AC M, 
(A)EP = A(A)stp* = (A\stP* A and (Ayerpiord+ — A{ Ayerpiord | 
Proof. Note, by definition, that (A)8"P* = (A)®P* U {1}, so 
A(Ayete* = A(A)8Pt U A C (AEP, 


The converse inclusion (A)®"Pt C A(A)®P* is obtained by induction. Let b € 
(A)®P+. If b € A, then b € A(A)®"P* since 1 € (A)®*, If c = cd with c,d € 


? Similarly, for finite words, Schiitzenberger-McNaughton-Papert’s theorem is a con- 
sequence of Henckell’s algorithm for aperiodic pointlikes—see e.g. [25, Corollary 4.8] 

10 Notice the similarity with the (trivial) identities At = AA* = A*A and A™1+ = 
A Are, 
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(A)®P*, then, by induction, c = ac’ for some a € A and œ € (A)®?*, thus b = 
a(c'd) E€ A(A)®"P* since a € A and c'd € (A)®"?*. Finally, if b = c®™P, then, again 
by induction, c = ac’ for some a € A and c’ € (A)®"P*, and thus b = cP = 
cc8"P = a(c'c8*P) € A( AEP. 

The equality (A)&P* = (A)®P* A is symmetric. 

The identity (A)8P-°"¢+ = A(A)8*P-0rd is similar. The new case in the induc- 
tion is if some b € (A)®P-°'d+ is of the form c”, then, by induction hypothesis, 
c= ac for some a € A and c € (AJS, and thus b = œ = cc’ = a(d œ) € 
A(Ayerp.ord | 


Proposition 19. Jf there are FO-approzimants over K and L respectively, then 
there exist effectively FO-approximants over KU L and KL. 


5.2 Construction of FO-approximants for words of finite and 
w-length 


First, we show how to construct FO-approximants for finite words. It serves at 
the same time as a building block for more complex cases, as a way to show the 
proof mechanisms in simpler cases, as well as to comment on differences with 
previous works. 


Lemma 20. Let AC M, then either 


— a-(A)8P* Ç (A)®P+, for some a € A, 
— (Aye Pt. a Ç (A)®Pt, for some a € A, or 
— (A)#P> has a maximum. 


Proof. Assume the two first items do not hold. Because of the non-first-one, the 
map x > a: x is surjective on (A)®"P*, for all a € A. Since (A)®"P* is finite, 
this means that it is bijective on (A)®P*. Hence it is also bijective on (A)*. The 
negation of the second item has a symmetric consequence. Together we get that 
(A)* is a group. Let I be its neutral element. Note first that for all x € (A), 
I = x" for some k, and hence, I < x8". Set now a1,...,an to be the elements 
in A, and define: M = (af? - a5'P--- aStP)s"P. 

By the above remark a; = I+ - ay: I" < af? - a3'P---a8P < M for 
all i. Since furthermore for all x,y < M, x-y < M and xP < M, it follows 
that z < M for all z € (A)8"P+, 


A similar lemma is used in [25], but concludes with the existence of a pseudo- 
group as the third item. 


Lemma 21. Foralla € M there exists an FO-approximant from at to ({a})®P*. 


Construction. Let k be such that ai?¢™ = af. Define 


length n m . 
~ a ifn < k, 
a®"P otherwise. 
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We can now use this for proving the finite word case. 


Lemma 22. Forall AC M there exists an FO-approximant from At to (A)®P*. 


Proof. We use a double induction on |(A)®P*| and |A|. The induction is guided 
by Lemma 20. The base case is A = @, and the nowhere defined FO-approximant 
proves it. 

First case: a: (A)®P+ Ç (A)®'P* for some a € A. This part of the proof is 
similar to [25, Lemma 6.7]. Let B ::= Aw {a}. 

We first construct an FO-approximant from at B* to a-(A)®"P*. Indeed, we 
know by Lemma 21 that there is an FO-approximant from at to ({a})®P* C a- 
(A)8P*. We also know by induction" that there is an FO-approximant from B+ 
to (B)&®Pt C (A)&P*. Thus by Proposition 19, there exists effectively an FO- 
approximant 7 from at Bt to a- (A)8P* . (A)8P+ C a. (ADS Pr, 

We now provide an FO-approximant for (at B+)* (which is FO-definable), 
and for this, define the condensation FO-formula y(x, y) that expresses that “two 
positions x and y are equivalent if the subword on the interval [x,y] belongs to 
a* B*” (this can be expressed in first-order logic). Over a word u € (at Bt)*, 
each of the condensation classes belong to atB* and its image under 7 be- 
longs to a: (A)®P*. Furthermore, still by induction hypothesis!”, there is an 
FO-approximant from (a: (A)8'Pt)* to (A)8Pt. By Lemma 5, we thus obtain 
an FO-definable map from (a*Bt)* to (A)&?*. It is an FO-approximant by 
construction. 

Using the above case and Proposition 19, it can be easily extended to an 
FO-approximant from At = AB*(at Bt)*a* to (A)& Pr, 

Second case: (A)®P* -a Ç (A)®"P*. This case is symmetric to the first case. 

Third case: (A)®"P* has a maximum M. Then the constant map that sends 
every word u € A* to M is an FO-approximant over A*. 


Following similar ideas, we can treat the case of w-words. We define here 
(A)#"P” as the elements of the form {a - b“ | a,b € (A)&?*}—or, equivalently, 
(Ayr = (AEH. 


Lemma 23. Let M be an ordinal monoid with merge. For all A C M, there 
exists an FO-approximant from A” to (A)®P#, 


5.3 Construction of FO-approximants for countable ordinal words 


As for the finite case, the proof revolves around a carefully designed case distinc- 
tion. This one is more complex to establish, and makes use of Green’s relations 
and a precise understanding of the properties of ordinal monoids with merge. 


Lemma 24 (Trichotomy principle). Let M be a finite ordinal monoid with 
merge and A C M, then either 


11 Indeed, |B| < |A]. 

12 This time, we can use the induction hypothesis because |((a : (A)8PT)*)8PT| < 
|(A)P*|. Indeed, by Proposition 18, ((a : (A)@P*)T)8?t C (a= (AEP) (a= 
(Ast) +)erP* C a (AyePt C (AEP, 
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— a: (Aysrpord+ C (Aysrpord+ for some a € A, 
_ {Aye yerniend+ (E (Ayerpord+ | or 


— z: y =y and z? = y, for all x,y € (AJS, 


The above lemma is key in the proof of the existence of an FO-approximant. 


Lemma 25. For alla € M, there exists an FO-approximant over a. 


The proof follows a similar structure as the one for Lemma 22 for the finite case. 
This time, Lemma 24 is the key argument that makes the induction progress, 
playing the same role as Lemma 20 in the finite case. Note, however, that the 
second items in Lemmas 20 and 24 are very different in structure. And indeed, 
this entails a different argument for constructing the FO-approximant. It is based 
on performing in one step the condensation of all the maximal factors of order- 
type w. 


Example 26 (Continuing Example 13). An FO-approximant p of 7 over a°"¢ in 
the ordinal monoid defined in Example 9 can be defined for all u € {a}°"¢ as: 


{1} if dom(u) is empty, 
__ J {a, aa} if dom(u) is finite and non-empty, 
oan {a”} if dom(u) is a non-zero limit ordinal, 
{a”a,a”’aa} if dom(u) is an infinite successor ordinal. 


Lemma 27. For all A C M, there exists an FO-approximant from A+ to 
{Arete 


Proof. We prove the result by induction on |(A)8P:°"¢*| and |A°¢*|. The base 
case A = Ø is trivial. If A is non-empty, following Lemma 24, there are three 
cases to treat. 

First case: There exists a € A such that a-(A)8Prd+ Ç (A)sPordt+ | This 
case is as in the proof for finite words, Lemma 22, using Lemma 25 in place of 
Lemma 21. The key reason why the proof remains valid is because the hypothesis 
at Ayer Porat Ç (Ayetpord} implies Klat AJE Prd e E rpd] < [Apert | 
by Proposition 181°. 

Second case!t: ((A)sP~\srpord+ C (A\srpord+ By Lemma 23, there is an 
FO-approximant from A” to (A)*P-’. By induction hypothesis!’, we have an 
FO-approximant from ((A)8P-“)%4+ to ((A)sPw)spord+ C (Aysrpord+ Since 


13 More precisely, we are using the property (B)®?°"'* = B(B)®?:°F4 of Proposi- 
tion 18. By thinking of elements of (B)8P"** as “countable ordinal words with 
merge”, this property is simply saying that every “countable ordinal word with 
merge” has a first letter. However, countable ordinal words need not have a last 
letter: this is what makes an hypothesis of the form (A)®P°°¢? . q Ç (A)erPord+ 
unusable—and this is the motivation behind the trichotomy principle Lemma 24. 

14 Note here that it is different from the second case in the proof of Lemma 22. 

15 Indeed, (ASP pardi Ç Z a 
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the formula finite(z, y) is a condensation FO-formula, we obtain by Lemma 5 
an FO-approximant from (A’)7¢+ — (A)8P-°rd+, Using Proposition 19 and 
Lemma 22, we easily extend it to an FO-approximant from A°°¢+ = A(A”)°"4 A* 
to fAereer. 

Third case: x-y = y and ze = y®, for all x,y € (A)#P4+, Then the 
product over A sends a countable ordinal word u € A°?* to its last letter if 
the word has a last letter, and to the unique omega power of (A)8"P:°'¢+ if the 
word has no last letter. Since the languages of the form A°¢*+a where a € A and 
{u € A+ | dom(u) is a limit ordinal} all are FO-definable, it follows that the 
product over A is FO-definable. 


6 Related problems 


In this section, we solve two related problems: the decidability of the cover- 
ing problem (Proposition 28), and the computability of pointlike sets (Proposi- 
tion 30). Both are direct applications of the key lemmas presented above. 

The FO-covering problem asks, given regular languages, in our case of count- 
able ordinal words, L, Ky,..., Kn, to determine if there exist FO-definable lan- 
guages C),...,C, such that L C U;C; and C; N K; = Ø for all i—see [27] for 
more details. In general, separation problems trivially reduce to covering prob- 
lems, since L and K are separable if and only if there is a solution to the covering 
problem for the instance (L, K). In the other direction, there is no known ex- 
ample of a variety with decidable separation problem but undecidable covering 
problem. We show that a further consequence of the above results is that the 
FO-pointlike sets in a finite ordinal monoid (see Definition 29) are computable, 
from which we deduce: 


Proposition 28. The FO-covering problem for countable ordinal words is de- 
cidable. 


Let us now introduce, and explain, the relation with pointlike sets. The FOx- 
closure of a word u is the set [u]po, which contains all words that are FO;- 
equivalent to u. 


Definition 29. Given a finite ordinal monoid M the FO-pointlike sets of a 
map o: X —> M are defined by 


Plro(o) := () 1 {r(o™ ([u]ro,)) |ue DR 
keN 


where | X denotes the downward closure of X. 


The definition of pointlike sets is in fact more general!®: given a variety of 


finite semigroups V one can define a notion of pointlike sets with respect to this 


16 Tn the following discussion, we focus on finite words, but the notion of variety—of 
algebras, or of languages—can be extended to countable ordinal words [8] and many 
other settings [11, §4]. 
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variety. Almeida observed that the separation problem for the variety V—given 
two regular languages, can they be separated by a V-recognisable language?—is 
decidable if and only if the V-pointlikes of size 2 of every morphism are com- 
putable [2, Prop. 3.4]. The covering problem also has an algebraic counterpart: 
it is decidable for the variety V if and only if, for every morphism, the collection 
of all V-pointlike sets of this morphism is computable [2, Prop. 3.6]'”. Hence, 
the fact that FO-covering and FO-separation are decidable for finite words is 
simply a corollary of Henckell’s theorem on aperiodic pointlikes [19, Fact 3.7 & 
Fact 5.31], stating that they are computable. Place & Zeitoun’s simpler proof 
of the decidability of FO-covering for finite words and for w-words [25] relies 
on the same principle.'® Unsurprisingly, our result can be interpreted in the 
same way: we are implicitly showing the following property, from which one can 
immediately deduce the computability of Plro(c). 


Proposition 30. Given a finite ordinal monoid M and o: X > M, 


Plro(o) = } ({{o(a)} | a € Z}yerers. 


7 Conclusion 


In this paper, we have studied the problem of FO-separation over words of count- 
able ordinal length. Our proof is based on the work of Place and Zeitoun over 
words of length w [25]. We build an FO-approximant using essentially the same 
technique as Place and Zeitoun. However a key difference is that for finite words 
and w-words, the proof relies on a case distinction (Lemma 20) which is concep- 
tually similar to the characterisation of groups as semigroups whose translations 
are bijective. This was no longer sufficient for countable ordinal words because 
of w-iterations. In this situation, our new case distinction (Lemma 24) captures 
the subtle interaction of w-iteration with groups in finite ordinal monoids. In 
particular, a difference with previously known algorithms is that we do not close 
the saturation under subset. This a priori innocuous difference has significant 
consequences on the proof of completeness, yielding some simplifications in the 
finite and w-case, and necessary for the proof to be extendable to all ordinals. 
Of course, the next step is to go to longer words, in particular scattered 
countable words, or even better to all countable words. Here, there are conceptual 
difficulties, and let us stress also that, starting from scattered countable words, 
first-order logic and first-order logic with access to Dedekind cuts begin to have 
a different expressiveness. Thus several notions of separation have to be studied. 


References 


1. Adsul, B., Sarkar, S., Sreejith, A.V.: First-order logic and its infinitary quantifier 
extensions over countable words (2021) 


17 Beware: there is a typo in the statement of the first item of the proposition. 
18 There is a difference in terminology: they refer to the Plro(y) as “optimal imprint 
with respect to FO on y”. 


282 


10. 


11. 


12. 


13. 


14. 


15. 


16. 


17. 


18. 


19. 


T. Colcombet et al. 


. Almeida, J.: Some algorithmic problems for pseudovarieties. Publ. Math. Debrecen 


54(1), 531-552 (1999) 

Almeida, J., Zeitoun, M.: The pseudovariety J is hyperdecidable. RAIRO- 
Theoretical Informatics and Applications 31(5), 457—482 (1997) 

Ash, C.J.: Inevitable graphs: a proof of the type II conjecture and some related 
decision procedures. International Journal of Algebra and Computation 1(01), 127- 
146 (1991) 

Bedon, N.: Finite automata and ordinals. Theoretical Computer Science 156(1), 
119-144 (1996). https://doi.org/10.1016/0304-3975(95)00006-2 

Bedon, N.: Langages reconnaissables de mots indexés par des ordinaux. Theses, 
Université de Marne la Vallée (Jan 1998), https: //tel.archives-ouvertes.fr/ 
tel-00003586 

Bedon, N.: Logic over words on denumerable ordinals. Journal of Computer and 
System Sciences 63(3), 394-431 (2001). https: //doi.org/10.1006/jcss.2001.1782 
Bedon, N., Carton, O.: An Eilenberg theorem for words on countable or- 
dinals. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN’98: Theoretical In- 
formatics. pp. 53-64. Springer Berlin Heidelberg, Berlin, Heidelberg (1998). 
https: //doi.org/10.1007/BFb0054310 

Bedon, N., Rispal, C.: Schtiitzenberger and Eilenberg theorems for words on linear 
orderings. Journal of Computer and System Sciences 78(2), 517-536 (Mar 2012). 
https: //doi.org/10.1016/j.jcss.2011.06.003 

Bés, A., Carton, O.: Algebraic Characterization of FO for Scattered Lin- 
ear Orderings. In: Bezem, M. (ed.) Computer Science Logic (CSL’11) - 
25th International Workshop/20th Annual Conference of the EACSL. Leib- 
niz International Proceedings in Informatics (LIPIcs), vol. 12, pp. 67-81. 
Schloss Dagstuhl—Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany (2011). 
https: //doi.org/10.4230/LIPIcs.CSL.2011.67 

Bojanczyk, M.: Recognisable languages over monads. In: Potapov, I. (ed.) Devel- 
opments in Language Theory. pp. 1-13. Springer International Publishing, Cham 
(2015), https: //arxiv.org/abs/1502.04898v1 

Biichi, J.R.: On a decision method in restricted second order arithmetic. In: Logic, 
Methodology and Philosophy of Science (Proc. 1960 Internat. Congr .), pp. 1-11. 
Stanford Univ. Press, Stanford, Calif. (1962) 

Biichi, J.R.: The monadic second order theory of wi, pp. 1-127. Springer Berlin 
Heidelberg (1973). https://doi.org/10.1007/BFb0082721 

Carton, O., Colcombet, T., Puppis, G.: An algebraic approach to MSO-definability 
on countable linear orderings (May 2018). https://doi.org/10.1017/jsl.2018.7 
Choueka, Y.: Finite automata, definable sets, and regular expressions over wn- 
tapes. Journal of Computer and System Sciences 17(1), 81-97 (1978) 

Colcombet, T., Sreejith, A.V.: Limited set quantifiers over countable linear order- 
ings. In: Proceedings, Part II, of the 42nd International Colloquium on Automata, 
Languages, and Programming - Volume 9135. pp. 146-158. ICALP 2015, Springer- 
Verlag, Berlin, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47666-6 12 
van Gool, S.J., Steinberg, B.: Merge decompositions, two-sided Krohn—Rhodes, 
and aperiodic pointlikes. Canadian Mathematical Bulletin 62(1), 199-208 (2019). 
https: //doi.org/10.4153/CMB-2018-014-8 

Gool, S., Steinberg, B.: Pointlike sets for varieties determined by groups. Advances 
in Mathematics 348, 18-50 (2019). https://doi.org/10.1016/j.aim.2019.03.020 
Henckell, K.: Pointlike sets: the finest aperiodic cover of a finite semigroup. Journal 
of Pure and Applied Algebra 55(1), 85-126 (1988). https://doi.org/10.1016/0022- 
4049(88)90042-4 


20. 


21. 


22. 
23. 


24. 


25. 


26. 


27. 


28. 


29. 


30. 


31. 


32. 


33. 


34. 


35. 


36. 


37. 


First-order separation over countable ordinals 283 


Makowsky, J.A.: Algorithmic uses of the Feferman-Vaught theo- 
rem. Annals of Pure and Applied Logic 126(1-3), 159-213 (2004). 
https://doi.org/10.1016/j.apal.2003.11.002 

Manuel, A., Sreejith, A.V.: Two-variable logic over countable linear orderings. In: 
Faliszewski, P., Muscholl, A., Niedermeier, R. (eds.) 41st International Symposium 
on Mathematical Foundations of Computer Science, MFCS 2016, August 22-26, 
2016 - Kraków, Poland. LIPIcs, vol. 58, pp. 66:1-66:13. Schloss Dagstuhl - Leibniz- 
Zentrum fiir Informatik (2016). https://doi.org/10.4230/LIPIcs.MFCS.2016.66, 
https://doi.org/10.4230/LIPIcs.MFCS.2016.66 

McNaughton, R., Papert, S.A.: Counter-Free Automata. The MIT Press (1971) 
Perrin, D.: Recent results on automata and infinite words. In: International Sym- 
posium on Mathematical Foundations of Computer Science. pp. 134-148. Springer 
(1984). https: //doi.org/10.1007/BFb0030294 

Pin, J.E., Perrin, D.: Infinite Words: Automata, Semigroups, Logic and Games. 
Elsevier (2004), https: //hal.archives-ouvertes.fr/hal-00112831 

Place, T., Zeitoun, M.: Separating regular languages with first-order logic. Log- 
ical Methods in Computer Science 12 (2016). https://doi.org/10.2168/LMCS- 
12(1:5)2016 

Place, T., Zeitoun, M.: The complexity of separation for levels in concatenation 
hierarchies. In: Ganguly, S., Pandya, P. (eds.) 38th IARCS Annual Conference on 
Foundations of Software Technology and Theoretical Computer Science (FSTTCS 
2018). Leibniz International Proceedings in Informatics (LIPIcs), vol. 122, pp. 
47:1-47:17. Schloss Dagstuhl—Leibniz-Zentrum fuer Informatik, Dagstuhl, Ger- 
many (2018). https://doi.org/10.4230/LIPIcs.FSTTCS.2018.47 

Place, T., Zeitoun, M.: The covering problem. Logical Methods in Computer 
Science Volume 14, Issue 3 (Jul 2018). https://doi.org/10.23638/LMCS- 
14(3:1)2018 

Place, T., Zeitoun, M.: On all things star-free. In: 46th International Colloquium 
on Automata, Languages, and Programming (ICALP 2019). Schloss Dagstuhl- 
Leibniz-Zentrum fuer Informatik (2019), https: //arxiv.org/abs/1904.11863v1 
Place, T., Zeitoun, M.: Separation for dot-depth two. Logical Methods in Com- 
puter Science Volume 17, Issue 3 (Sep 2021). https://doi.org/10.46298 /lmcs- 
17(3:24)2021 

Rabin, M.O.: Decidability of second-order theories and automata on infinite trees. 
Trans. Amer. Math. Soc. 141, 1-35 (1969) 

Rispal, C.: Automates sur les ordres linéaires : Complémentation. Theses, Uni- 
versité de Marne la Vallée (Dec 2004), https://tel.archives-ouvertes.fr/ 
tel-00720658 

Rispal, C., Carton, O.: Complementation of Rational Sets on Countable Scattered 
Linear Orderings. International Journal of Foundations of Computer Science 16(4), 
767-786 (2005), https: //hal.archives-ouvertes.fr/hal-00160985 

Rosenstein, J.G.: Linear orderings. Academic press (1982) 

Schiitzenberger, M.: On finite monoids having only trivial subgroups. Information 
and Control 8(2), 190-194 (1965). https: //doi.org/10.1016/S0019-9958(65)90108-7 
Shelah, S.: The monadic theory of order. Ann. of Math. (2) 102(3), 379-419 (1975) 
Simon, I.: Piecewise testable events. In: Brakhage, H. (ed.) Automata Theory and 
Formal Languages. pp. 214-222. Springer Berlin Heidelberg, Berlin, Heidelberg 
(1975) 

Wilke, T.: An algebraic theory for regular languages of finite and infinite words. 
International Journal of Algebra and Computation 03(04), 447—489 (1993). 
https: / /doi.org/10.1142/S0218196793000287 


284 T. Colcombet et al. 


38. Wilke, T.: Classifying discrete temporal properties. In: Meinel, C., Tison, S. (eds.) 
STACS 99. pp. 32-46. Springer Berlin Heidelberg, Berlin, Heidelberg (1999). 
https: //doi.org/10.1007/3-540-49116-3 3 

39. Wojciechowski, J.: Classes of transfinite sequences accepted by nondeterministic 
finite automata. Fundamenta informaticz 7(2), 191-223 (1984) 

40. Wojciechowski, J.: Finite automata on transfinite sequences and regular expres- 
sions. Fundamenta informaticee 8(3-4), 379-396 (1985) 


Open Access This chapter is licensed under the terms of the Creative Commons 
Attribution 4.0 International License (http: //creativecommons.org/licenses/by/ 
4.0/), which permits use, sharing, adaptation, distribution and reproduction in any 
medium or format, as long as you give appropriate credit to the original author(s) and 
the source, provide a link to the Creative Commons license and indicate if changes 
were made. 

The images or other third party material in this chapter are included in the 
chapter’s Creative Commons license, unless indicated otherwise in a credit line to the 
material. If material is not included in the chapter’s Creative Commons license and 
your intended use is not permitted by statutory regulation or exceeds the permitted 
use, you will need to obtain permission directly from the copyright holder. 


A Faithful and Quantitative Notion of Distant 
Reduction for Generalized Applications 


José Espírito Santo! (®) ©, Delia Kesner?3() ©, and Loic Peyrot?(®) © 


1 Centro de Matematica, Universidade do Minho, Portugal 
jes@math.uminho.pt 
2 Université de Paris, CNRS, IRIF, Paris, France 
{kesner,lpeyrot}@irif.fr 
3 Institut Universitaire de France (IUF), France 


Abstract. We introduce a call-by-name lambda-calculus AJ with gen- 
eralized applications which integrates a notion of distant reduction that 
allows to unblock 8-redexes without resorting to the permutative con- 
versions of generalized applications. We show strong normalization of 
simply typed terms, and we then fully characterize strong normalization 
by means of a quantitative typing system. This characterization uses a 
non-trivial inductive definition of strong normalization -that we relate 
to others in the literature—, which is based on a weak-head normalizing 
strategy. Our calculus relates to explicit substitution calculi by means of 
a translation between the two formalisms which is faithful, in the sense 
that it preserves strong normalization. We show that our calculus AJ 
and the well-know calculus AJ determine equivalent notions of strong 
normalization. As a consequence, AJ inherits a faithful translation into 
explicit substitutions, and its strong normalization can be characterized 
by the quantitative typing system designed for AJ, despite the fact that 
quantitative subject reduction fails for permutative conversions. 


Keywords: Lambda-calculus - Generalized applications - Quantitative types 


1 Introduction 


(Pure) functional programming can be understood by means of a universal model 
of computation known as the A-calculus, which is in tight correspondence, by 
means of the so-called Curry-Howard isomorphism, with propositional intuition- 
istic logic in Gentzen’s natural deduction style. The Curry-Howard isomorphism 
emphasizes the fact that proof systems on one hand, and programming languages 
on the other, are two mathematical and computational facets of the same ob- 
ject. The A-calculus with generalized applications (AJ), introduced by Joachim- 
ski and Matthes [8], is an extension of the A-calculus which can be seen as the 
Curry-Howard counterpart of van Plato’s natural deduction with generalized 
elimination rules [11]. 
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A generalized application in AJ is written t(u, y.r). It intuitively means that t 
is applied to u in the context of the substitution {_/y}r. The conversion of the 8- 
redex (Azx.t)(u, y.r) then produces two (nested) substitutions {{u/x}t/y}r. But 
some {-redexes can be blocked by the syntax, e.g. in the term t(u, y.r)(u’, y’.r’), 
where the (potential) application of r = Ax.s to u’ remains hidden. An iterated 
generalized application t(u, y.r)(u’, y’.r’) may be rearranged as t(u, y.r(u’, y’.r’)) 
by a permutative conversion called m. Rule m is then an unblocker of stuck 8- 
redexes: the contractum t(u, y.(Av.s)(u’, y’.r’)) unveils the desired application 
of r to u’. Rule 7, together with rule 8, allows natural deduction proofs to 
be brought to a “fully normal” form [11] enjoying the subformula property. 
Computationally, AJ defines a call-by-name operational semantics; a call-by- 
value variant has been proposed in [5], but this is out of the scope of this paper. 


Strong normalization w.r.t. the two rules 8 and m has been characterized by 
typability with (idempotent) intersection types by Matthes [10]: a term is typable 
if and only if it is strongly normalizing. However, this characterization is just 
qualitative. A different flavor of intersection types, called non-idempotent, offers a 
more powerful quantitative characterization of strong normalization, in the sense 
that the length of the longest reduction sequence to normal form starting at a 
typable term t is bound by the size of its type derivation. However, quantitative 
types were never used in the framework of generalized applications, and it is our 
purpose to propose and study one such typing system. 


Quantitative types allow for simple combinatorial proofs of strong normal- 
ization, without any need to use reducibility or computability arguments. More 
remarkably, they also provide a refined tool to understand permutative rules. For 
instance, in AJ, rule m is not quantitatively sound (i.e. 7 does not enjoy quanti- 
tative subject reduction), although 7 becomes valid in an idempotent framework. 
Hence, a good question is: how can we unblock redexes to reach normal forms 
in a quantitative model of computation based on generalized applications? 


Our solution is to adopt the paradigm of distant reduction [2] coming from 
explicit substitution (ES) calculi, which extends the key concept of 6-redex, so 
that we may find the A-abstraction hidden under a sequence of nested generalized 
applications. This is essentially similar to adopting a different permutation rule, 
converting t(u, y.Az.s) to Az.t(u, y.s). However, the permutation rule is mostly a 
way to overcome syntactical limitations, while distant 6 is a way to put emphasis 
on the computational behavior of the calculus: it is at the G-step that resources 
are consumed, not during the permutations. 


The syntax of the AJ-calculus will thus be equipped with an operational call- 
by-name semantics given by distant 6, but without m. The resulting calculus 
is called AJ. As a major contribution, we prove a characterization of strong 
normalization in terms of typability in our quantitative system. In such proof, 
the soundness result (typability implies strong normalization) is obtained by 
combinatorial arguments, with the size of typing derivations decreasing at each 
step. For the completeness result (strong normalization implies typability) we 
need an inductive characterization of the terms that are strongly normalizing 
for distant 8: this is a non-trivial technical contribution of the paper. 
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As mentioned above, we draw inspiration for our distant 8 rule from calculi 
with explicit substitutions, having in mind the usual translation of t(u, y.r) to the 
explicit substitution [tu/y]r (a let-binding of tu over y in r). As such, we expect 
the dynamic behavior of our calculus to be faithful to explicit substitutions. 
Such translation, however, does not in general preserve strong normalization. 
Indeed, in a 6-redex (Ax.t)(u, y.r), the interaction of Ax.t with the argument u 
is materialized by the internal substitution in the contractum term {{u/a}t/y}r, 
as mentioned before. But such interaction is elusive: if the external substitution 
is vacuous (that is, if y is not free in r), 8-reduction will simply throw away the A- 
abstraction Ax.t and its argument u, whereas (Az.t)u may reduce in the context 
of the explicit substitution [(Ax.t)u/y]r. The different interaction between the 
abstraction and its argument in the two mentioned models of computation has 
important consequences. For instance, let 6° := Ar.a(x,w.w) be the encoding 
of 6 = Aw.xa as a AJ-term. Then, if y ¢ r and r is normal, the only thing the 
term 6°(6°,y.r) can do is to reduce to r, whereas 66 may reduce forever in the 
context of the vacuous explicit substitution [5d/y]r. 

That is why we propose a new, type-preserving, encoding of terms with gen- 
eralized applications into terms with explicit substitutions. Using this new en- 
coding and quantitative types, we show that strong normalization of the source 
term with generalized applications is equivalent to the strong normalization of 
the target term with explicit substitutions. 

As a final contribution, we compare \J-strong normalization to that of other 
calculi, including the original AJ. We extract new results for the latter, as a 
faithful translation to ES, and a new normalizing strategy. Moreover, we obtain 
a quantitative characterization of AJ-strong normalization, where the bound for 
reduction given by the size of type derivations only holds for 8 (and not for r). 

Plan of the paper. Sec. 2 presents our calculus with distant 8. Sec. 3 
provides an inductive characterization of strongly normalizing terms. Sec. 4 is 
about non-idempotent intersection types. Sec. 5 shows the faithful translation 
to ES. Sec. 6 contains the comparisons with other calculi. Sec. 7 concludes. Full 
proofs are available in [6]. 


2 A Calculus with Generalized Applications 


In this section we define our calculus AJ with generalized applications and give 
some introductory observations on strong normalization in that system. 


2.1 Syntax and Semantics 


We start with some general notations. Given a reduction relation >, we write 
3, (resp. +) for the reflexive-transitive (resp. transitive) closure of >r. A 
term t is said to be in R-normal form (written R-nf) iff there is no t such that 
tr t. A term t is said to be R-strongly normalizing (written t € SN(R)) 
iff there is no infinite 7-sequence starting at t. R is strongly normalizing iff every 
term is R-strongly normalizing. When R is finitely branching, ||t|r denotes the 
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maximal length of an R-reduction sequence to R-nf starting at t, for every 
tESN(R). 


The set of terms generated by the following grammar is denoted by Ty. 
(Terms) t,u,r,s := x | Ax.t | t(u, x.r) 


The term t(u, x.r) is called a generalized application, and the part x.r is some- 
times referred as the continuation of that application. Free variables of terms are 
defined as usual, notably fv(¢(u, x.r)) := fv(¢) Ufv(u) U f(r) \ {a}. We also work 
modulo a-conversion, denoted =a, so that bound variables can be systematically 
renamed. We use I to denote the identity function Az.z. 

We introduce contexts (terms with one occurrence of the hole 4) and the 
special distant contexts: 


(Contexts) C = Q | Ax.C | C(u, x.r) | t(C, x.r) | t(u, x.C) 
(Distant Contexts) D ::= Q | t(u, £x.D) 


The term C(t) denotes C where Q is replaced by t, so that capture of variables 
may eventually occur. Given a rewriting rule R C Ty x Ty, >r denotes the 
reduction relation generated by the closure of R under all contexts. 

We say that t has an abstraction shape iff t = D(Az.u). The substitution op- 
eration is capture-avoiding and defined as usual, in particular {u/z}(t(s,y.r)) := 


({u/a}t)({u/rts, y.{u/x}r). 


2.2 Towards a Call-by-Name Operational Semantics 


The T ;-syntax can be equipped with different rewriting rules, as discussed in the 
introduction. We use the generic notation T;[R] to denote the calculus given by 
the syntax Tz equipped with the reduction relation >r. 

Now, if we consider to := t(u’, y’.Aw.s)(u, y.r) in the calculus T;[8], where 


(Ax.s)(u, y.r) >g {{u/ax}s/y}r 


we can see that the term tg is stuck since the subterm Az.s is not close to u. 
This is when the following rule m, plays the role of an unblocker of 6-redexes: 


t(uy-r)(u yr’) >r t(u,y-r(u’ yr’) 


Indeed, to > t(u', y’. (Ax.s)(u,y.r)) >g tlu’, y'{{u/x}s/y}r). More generally, 
given tı := D(Ax.s} (u, y.r), with D Æ , a sequence of m-steps reduces the term 
tı above to D((Ax.s)(u, y.r)). A further 6-step produces D({{u/x}s/y}r). So, the 
original AJ-calculus [8], which is exactly T;[8, 7], has a derived notion of distant 
8 rule, based on 7, which can be specified by the following rule: 


D(Ax.s)(u, yr) œ> D({{u/a}s/y}r) (1) 


However, m-reduction is not only about unblocking redexes, as witnessed 
by D(x)(u,y.r) >ž Dia(u,y.r)). So it is reasonable to keep terms of the form 
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D(x)(u,y-7) without reducing them further, as those 7-steps do not contribute 
to unblock more £-redexes. The absence of terms of the form D(Az.s)(u, y.r) 
gives already a reasonable notion of normal form which, in particular, already 
enjoy the subformula property, as will be seen in Sec. 2.3. 

Still, we will not reduce as in (1) because such rule, as well as 7 itself, does 
not admit a quantitative semantics (c.f. Sec. 4.3). We then choose to unblock 
G-redexes with the following rule pz instead?: 


t(u’, y’.Ax.s) Hp, Ax.t(u’, y.s) 


so that tı given above reduces in several p2-steps to (Axv.D(s))(u, y.r), which can 
now be further reduced with ( since it is no longer stuck. If we reduce it, we 
obtain {{u/x}D(s)/y}r; and since free variables in u cannot be captured by D, 
this is equal to {D({u/x}s)/y}r. We thus obtain our distant rule: 

Definition 1. We write AJ for our new calculus T;[ad6], where the distant 8- 
rule is defined as follows: 


D(Az.t)(u, y.r) rae {D({u/ax}t)/y}r 

A reduction step tı 4g t2 is said to be erasing iff the reduced d§-redex in 
tı is of the form D(Az.t)(u, y.r) with x ¢ fv(t) or y ¢ fv(r). 

It is obvious that +4, Cas as Some other variants of the p2-rule are possible, 
like D(Aw.t)(u, y.r) — (Aw.D(t))(u, y.r) or D(Aw.t) Hp, Ax.D(t), in both cases for 
D Æ Q, but we do not develop them. However, while most of the paper is about 
AJ, brief comparisons with the calculi AJ and T,;[@, p2] are considered in Sec.6. 


2.3 Some (Un)typed Properties of AJ 
Lemma 1. The grammar m characterizes d8-normal forms. 
m::= x | Av.m| myar (m, x.m) Myar = £ | Myar(M, Myar) 


We already saw that, once 8 is generalized to d8, 7 is not needed anymore 
to unblock 6-redexes; the next Lemma says that m preserves d6-nfs, so it does 
not bring anything new to d(-nfs either. The proof uses Lem. 1, and it proceeds 
by simultaneous induction on m and myar- 

Lemma 2. Ift is a dG-nf, and t >, t', then t is a aB-nf. 

Let us discuss now some properties related to (simple) typability for general- 
ized applications [8], a system that we call ST. Recall the following typing rules, 
where g, p,T ::= a | o > p, and a belongs to a set of base type variables: 


T x:oFt:p Frt:por IFu:p Lyy:thr:a 
I,x:oFx:o DIF Azrt:0o—>p IE t(u,y.r): o 


We write I lkgr t: o if there is a type derivation in system ST ending in 
I’ t: a. In the following result, we refer to simple types as formulas. 


* Rule po is used in [7,3] along with two other permutation rules pı and pa to reduce 
T,-terms to a fragment isomorphic to natural deduction. 
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Lemma 3 (Subformula Property). If 8 = T |lkgr m:7 then every formula 
in the derivation © is a subformula of T or a subformula of some formula in P. 


Proof. The lemma is proved together with another statement: If Y = I lk gr 
Myar : T then every formula in W is a subformula of some formula in I’. The proof 
is by simultaneous induction of @ and Y. 


We close this section with the following: 
Theorem 1. Ift is simply typable, i.e. I I-sr t:o, then t€ SN(d8). 


The proof is by a map into the A-calculus which produces a simulation when the 
A-calculus is equipped with the following o-rules [13]: 


(Az.M)NN'++,, (Av. MN')N (Az. Ay. M)N >o, Ay.(Av.M)N 


3 Inductive Characterization of Strong Normalization 


In this section we give an inductive characterization of strong normalization 
(ISN) for AJ and prove it correct. This characterization will be useful to show 
completeness of the type system that we are going to present in Sec. 4.1, as well 
as to compare strong normalization of AJ to the ones of T) |8, p2] and AJ. 


3.1 ISN in the -Calculus Through Weak-Head Contexts 


As an introduction, we first look at the case of the ISN for the A-calculus 
(ZSN()), on which our forthcoming definition of TSN (d8) elaborates. A usual 
way to define ZSN({) is by the following rules [12], where the general notation 
tr abbreviates (...(tr1)...)rn for some n > 0. 


T1,---,;Tn ETSN (f) t € TSN (8) {u/x}tr,u € ISN (B) 
zr E€ TSN(B) Aa.t € TSN (B) (Az.t)ur € TSN (B) 


One shows that t € SN (8) if and only if t € TSN (8). 

The reduction strategy underlying the definition of TSN (8) is the following 
one: reduce terms to weak-head normal form, and then iterate reduction inside 
the components of the weak-head normal form, without any need to come back 
to the head of the term. Weak-head normal terms are of two kinds: (neutral 
terms) n ::= x | nt and (answers) a ::= Aw.t. Neutral terms cannot produce 
any head 6-redex. On the contrary, answers can create a -redex when given at 
least one argument. In the case of the -calculus, these are only abstractions. 
If the term is not a weak-head term, a redex can be located with a weak-head 
context W ::= © | Wt. These concepts allow a different definition of TSN (8). 


n,t € TSN (8) t € TSN (8) W({u/x}t),u E€ TSN (8) 
x € TSN (8) nt € TSN (B) Ax.t € TSN (B) W((Aa.t)u) € TSN (8) 
Weak-head contexts are an alternative to the meta-syntactic notation r of vectors 


of arguments. Notice that there is one rule for each kind of neutral term, one 
rule for answers and one rule for terms which are not weak-head normal forms. 
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3.2 ISN for dG 


We define TSN (dG) with the same methodology as before. Hence, we first have 
to define neutral terms, answers and weak-head contexts. 


Definition 2. We consider the following grammars: 


(Neutral terms 

(Answers 

(Neutral distant contexts 
(Weak-head contexts 


n := 2 |n(u,z.n) 

a = Az.t | n(u, x.a) 

Dn ::= Q | n(u, x.Dn) 

W x= Q | W(u,x.r) | n(u, x.W) 


oN Aa 


Notice that n and a are disjoint and stable by dG-reduction. Also Dy Ç W. 


Example 1 (Decomposition). Let t = zı (£2, yY1.I (I, z.1))(x3, y-IT). Then, there 
are two decompositions of t in terms of a redex r and a weak-head context W: 
either W = 9 and r = t, or W = z1 (£2,Y1-0)(£3,y.II) and r = I(I,z.I). In both 
cases t = W(r). We will rule out the first possibility by defining next a restriction 
of the 6-rule, securing uniqueness of such kind of decomposition in all cases. 


The strategy underlying our definition of TSN (aß) will be the weak-head 
strategy —>wn, defined as the closure under W of the following restricted 6-rule: 


Da (Aart) (u, yr) > {Dn({u/y}t)/y}r 


The restriction of D to a neutral distant context D, is what allows determinism 
of our forthcoming Def. 3. 


Lemma 4. The reduction > wp is deterministic. 


As in the case of the A-calculus, weak-head normal forms are either neutral 
terms or answers. This time, answers are not only abstractions, but also abstrac- 
tions under a (neutral) distant context. Because of distance, these terms can also 
create a d(G-redex when applied to an argument, as seen in the next example. 


Example 2. Consider again term t of Ex. 1. If the third form in the grammar 
of W was disallowed, then it would not be possible to write t as W(r), with r a 
restricted redex. In that case, the reduction strategy associated with ZSN (dG) 
would consider t as a weak-head normal form, and start reducing the subterms 
of t, including J(I, z.I). Now, the latter would eventually reach J and suddenly 
the whole term t = 21(%2,y1-I)(3, y.r’) would be a weak-head redex again: 
the typical separation between an initial weak-head reduction phase and a later 
internal reduction phase, as it is the case in the A-calculus, would be lost in our 
framework. This is a subtle point due to the distant character of rule d8 which 
explains the complexity of Def. 2. 


Lemma 5. Lett © Ty. Then t is in wh-normal form ifft E€nUa. 


Our inductive definition of strong normalization follows. 
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Definition 3 (Inductive Strong Normalization). We consider the follow- 

ing inductive predicate: 

n,u,r E€ TSN (aß) r € wh-nf 
n(u, x.r) € TSN (dB) 


(snvar) (snapp) 


x € TSN (a8) 


LETSN(AB) nans) Yau} /0}) Dalt), € TSN (O8) 
Aàz.t € TSN (aß) W(Da(Azx.t) (u, y-r)) € TSN (dB) 


(snbeta) 


Notice that every term can be written according to the conclusions of the previ- 
ous rules, so that the grammar t, u,r := x | Ax.t | n(t, x.r) | WDa(Az.t) (u, y-s)), 
with r € wh-nf, also defines the syntax T;. Moreover, at most one rule in the 
previous definition applies to each term, i.e. the rules are deterministic. An 
equivalent, but non-deterministic definition, can be given by removing the side 
condition “r € wh-nf” in rule (snapp). Indeed, this (weaker) rule would overlap 
with rule (snbeta) for terms in which the weak-head context lies in the last con- 
tinuation, as for instance in z(u, y.y)(u’, y’.II). Notice the difference with the 
A-calculus: the head of a term with generalized applications can be either on the 
left of the term (as in the -calculus), or recursively on the left in a continuation. 
We conclude with the following result. 


Theorem 2. SN (a8) = TSN (aß). 


4 Quantitative Types Characterize Strong Normalization 


We proved that simply typable terms are strongly normalizing in Sec. 2.3. In this 
section we use non-idempotent intersection types to fully characterize strong 
normalization, so that strongly normalizing terms are also typable. First we 
introduce the typing system, next we prove the characterization and finally we 
study the quantitative behavior of 7 and give in particular an example of failure. 


4.1 The Typing System 


We now define our quantitative type system MJ for T;-terms and we show that 
strong normalization in AJ exactly corresponds to NJ typability. 

Given a countable infinite set BTV of base type variables a, b, c,..., we define 
the following sets of types: 


(types) 0,7,9 := a E€ BTV | M > o 
(multiset types) M,N ::= [ø;ilicr where I is a finite set 


The empty multiset is denoted |]. We use |M| to denote the size of the multiset, 
thus if M = [øi]icr then |M| = |Z|. We introduce a choice operator on multiset 
types: if M # |], then #(M) = M, otherwise #([]) = [ø], where ø is an 
arbitrary type. This operator is used to guarantee that there is always a typing 
witness for all the subterms of typed terms. 
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Typing environments (or just environments), written T, A, A, are func- 
tions from variables to multiset types assigning the empty multiset to all but a fi- 
nite set of variables. The domain of I is given by dom(I°) := {x | r(x) 4 []}. The 
union of environments, written AA, is defined by (PA A)(x) := I'(a)UA(a), 
where U denotes multiset union. This notion is extended to several environments 
as expected, so that Aje,I; denotes a finite union of environments (AjerJ; is to 
be understood as the empty environment when J = Ø). We write I’\\ x for the 
environment such that ("\ x)(y) = T (y) if y # x and (I’\x)(x) = []. We write 
I; A for I’ A A when dom(I’) N dom(A) = Ø. A sequent has the form I F t: 0, 
where J’ is an environment, t is a term, and ø is a type. 

The type system MJ is given by the following typing rules. 

r T;a:Mbt:o ao ( ier Pi ae 
: ' Ph Anwt:M—oo Niet F t: [oilier 


Trt: #(M; > Tilier) AF u: #(UierM;) A; z : [rihierF r:o 
DTAANAF tlu, x.r): o 


(app) 


The use of the choice operator in rule (app) is subtle. If J is empty, then the 
multiset [M; > tiJier typing t as well as the multiset Uje7M; typing u are both 
empty, so that the choice operator must be used to type both terms. If J is not 
empty, then the multiset typing t is non-empty as well. However, the multiset 
typing u may or not be empty, e.g. if [[] > a] types t. 

System MJ lacks weakening: it is relevant. 
Lemma 6 (Relevance). If I |b t: 0, then fv(t) = dom(TL). 


Notice that the typing rules (and the choice operator) force all the subterms 
of a typed term to be also typed. Moreover, if J = @ in rule (app), then the 
types of t and u are not necessarily related. Indeed, let 6° := Ay.y(y, w.w) in 
to := 6°(6°,u.z). Then to is d6-strongly-normalizing so it must be typed in 
system MJ. However, since the set I of x : [ri|ice7 in the typing of r = z is 
necessarily empty (c.f. Lem. 6), then the unrelated types #([(M; > Tilicr) and 
#(UierM;) of the two occurrences of 5° witness to the fact that these subterms 
will never interact during the reduction of to. Indeed, the term tp can be typed 


as follows, where p; := [[oi] > oi, oi] > ci and 7; := [o;i] > o;, for i = 1,2: 
dt 6° m, dt &° pr = 
OFS: [al DEE [pl O ziha: Fr 

(app) 


zi [r] F 6°(0°,a.z):7 
where 6° is typed with p; as follows: 
r Oe (var) 
Ta 


y : [loi] > ci, oil] F yly, w.w) : 0; 


OE rAy-y(y, w.w) : [loi] > 04,04] > oi 
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We write I l-,7 t: o or simply T IF t: o if there is a derivation in system NJ 
ending in I’ t: ø. For n > 1, we write I IFz t: 0 or simply I IH” t: o if there 
is a derivation in system NJ ending in I’ F t: ø and containing n occurrences of 
rules in the set {(var), (abs), (app)}. 


4.2 The Characterization of dG-Strong Normalization 


The soundness Lem. 9 is based on Lem. 8, based in turn on Lem. 7. 


Lemma 7 (Substitution Lemma). Let t,u € Ty with x € fv(t). If both 
T;x: MIF” t:o and Al-k™ u: M hold, then DA AIF" {u/x}t: 0 where k = 
n+m— |M]. 


Lemma 8 (Non-Erasing Subject Reduction). Let I IFR} tı : 0. Ift; ag 
t2 is a non-erasing step, then T IFA, tg: 0 with nı > nə. 


Lemma 9 (Soundness for AJ). Ift is NJ-typable, then t € SN (aß). 


The completeness Lem. 13 is based on Lem. 10 and Lem. 12, this last based 
in turn on Lem. 11. 


Lemma 10 (Typing Normal Forms). 


1. For allt € m, there exists I, o such that I lkayz t:o. 
2. For allt € mar, for all o, there exists I such that I lkayzt:o. 


Lemma 11 (Anti-Substitution). If I I- {u/x}t:o where x € fv(t), then 
there exist Tı, I, and M £ |] such that Tx: M IF t:o0, Ty F u:M and 
PHaIlATIy.- 


Lemma 12 (Non-Erasing Subject Expansion). IfI lay t2 : 0 and tı ag 
tə is a non-erasing step, then I Fn ty : 0. 


Lemma 13 (Completeness for AJ). Ift € SN (aß), then t is NJ-typable. 
We finally obtain: 

Theorem 3 (Characterization). System NJ characterizes strong normal- 

ization, i.e. t is NJ-typable if and only if t is —--ag-normalizing. Moreover, if 

I IF” t: 0 then the number of reduction steps in any reduction sequence from t 


to normal form is bounded by n. 


Proof. Soundness holds by Lem. 9, while completeness holds by Lem. 13. The 
bound is given by Thm. 9 in the long version [6]. 
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4.3 Why vm Is Not Quantitative 


In the introduction we discussed that m is rejected by the quantitative type 
systems MJ for CBN. This happens in the critical case when x ¢ fv(r) and 
y E€ fv(r’) in to = t(u,x.r)(u, y.) >r t(u,x.r(u',y.r')) = tı. Let us see a 
concrete example. 


Example 3. We take tı = x(y,a.z)(w, b.b(b, ¢.c)) >r x(y,a.z(w, b.b(b, c.c))) = 
[oi]; y : [oa]; z : [pi]. Consider 


b: [[7] > T] IF b: [[7] > 7] b: [r] IF b: [r] cilre 
v= b: [[r] > 7,7] F b(b, c.c) : T 


and the derivation ©; for i € {1,2}: 


x : [o1] I- x : [or] y : [oa] IF y : [a9] z: [p:i] F z: pi 
p; = A; F z(y,a.z) : pi 


Then, for the term tı, we have the following derivation: 
Pı Pa 
A, A l2 F z(y, a.z) : [p1, p2] w : [o,a] l- w : [o,o] Ww 
I, F z(y, a.z)(w, 0.b(b, c.c)) : T 


where I, = z: [p1, p2]; w : [o,o]; x : [o1, 01]; y : [o2, 02]. 
While for the term t2, we have: 
x: [oy] IF a: [or] y : [o2] IF y : [o2] p 
Ia F z(y, a.z(w, b.b(b, c.c))) : T 


where 


zino] z: lono] w:lookw:loo] Y 
p = I> E z(w,b.b(b,c.c)): T 


and Io = z : [p1, p2]; w : [o,o]; x : [o1]; y : [o2]. 

Thus, the multiset types of x and y in I, and I» resp. are not the same. 
Despite the fact that the step tı >, t2 does not erase any subterm, the typing 
environment is losing quantitative information. 


Notice that by replacing non-idempotent types by idempotent ones, subject re- 
duction (and expansion) would work for m-reduction: by assigning sets to vari- 
ables instead of multisets, I and I> would now represent the same object. 

Despite the fact that quantitative subject reduction fails for some 7-steps, 
the following weaker property is sufficient to recover (qualitative) soundness of 
our typing system NJ w.r.t. the reduction relation +, ,. Soundness will be used 
later in Sec. 6 to show equivalence between SN (da8) and SN (8, 7). 
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Lemma 14 (Typing Behavior of 7-Reduction). Let I |S), ti: 0. If ti = 
t(u,x.r)(u’,y.1’) >r t2 = t(u,x.r(u',y.r’)), then there are no and X ET such 
that SIF 72, t2 : 0 with ny > no. 


Lemma 15 (Soundness for AJ). Ift is NJ-typable, then t € SN (8,7). 


5 Faithfulness of the Translation 


As discussed in the introduction, the natural translation [4] of generalized appli- 
cations into ES is not faithful. In this section we define an alternative encoding 
and prove it faithful: a term in Ty is dG-strongly normalizing iff its alternative 
encoding is strongly normalizing in the ES framework. In a later subsection, we 
use this connection with ES to establish the equivalence between strong normal- 
ization w.r.t. dG and (8, po). 


5.1 Explicit Substitutions 


We define the syntax and semantics of an ES calculus borrowed from [1] to 
which we relate AJ. It is a simple calculus where 8 is implemented in two in- 
dependent steps: one creating a let-binding, and another one substituting the 
term bound. It has a notion of distance which allows to reduce redexes such 
as ([N/a](Ay.M))P >a [N/2][P/y|M, where the ES [N/a] lies between the 
abstraction and its argument. Terms and list contexts are given by: 


(Tes) M, N, P,Q ::= z | Ax.M | MN | [N/c]M 
(List contexts) L ::= Q | [N/a]L 


The calculus AẸ S is defined by Tgs|dB, s] (closed under all contexts) where: 
L(àz.M)N as L([N/2]M) [N/x]M >s {N/x}M 
Now, consider the (naive) translation from Ty to Tgs [4]: 
ae:=a  (Ax.t)* := Axt — t(u,y.r)* := [t*u* /y]r* 


According to this translation, the notion of distance in AES corresponds to our 
notion of distance for AJ. For instance, the application t(u,x.-) in the term 
t(u, z.Ay.r)(u’, z.r’) can be seen as a substitution [t*u*/z]- inserted between the 
abstraction Ay.r and the argument u’. But how can we now (informally) relate 7 
to the notions of existing permutations for AES? Using the previous translation, 
we can see that to = t(u,z@.r)(u’,y.7’) >r t(u,@.r(u’,y.r’)) = tı simulates as 


to = (u /x]r*)u* /y]r* — [luk /a](r* ul) /ylr™ > tut Jarra /ylr™ = ti. 


The first step is an instance of a rule in ES known as gı: ([u/az]t)u => 
[u/a|(tv), and the second one of a rule we call o4: [[u/a]t/y]u > [u/a][t/ylv. 
Quantitative types for ES tell us that only rule c1, but not rule g4, is valid for a 
call-by-name calculus. This is why it is not surprising that m is rejected by our 
type system, as detailed in Sec. 4.3. 

The alternative encoding we propose is as follows (noted _* instead of _*): 
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Definition 4 (Translation from Ty to Tgs). 
a*:=a@ (Axt) := Art — t(u,e.r)* := [t /a!][u* /e {ale /xr}r* 


Notice the above m-reduction tọ — t; is still simulated: tý >23, 17. 

Consider again the counterexample to faithfulness already discussed in the 
introduction, given by t := 6°(6°, y.r) with y ¢ fv(r), where 6° = Az.x(x, w.w). 
The term t is a dG-redex, whose contraction throws away the two copies of 6°. The 
naive translation of t gives [5°*6°* /y]r*, which clearly diverges in AES. The alter- 
native encoding of t is [6°*/y'][6°* /y"|{y!y* /y}r*, which is just [6°* /y'][6°*/y"]r*, 
because y ¢ fv(r*). The only hope to have an interaction between the two copies 
of 5°* in the previous term is to execute the ES, but such executions will just 
throw away those two copies, because y!, y" ¢ fv(r*). This gives an intuitive idea 
of the faithfulness of our encoding. 


5.2 Proof of Faithfulness 


We need to prove the equivalence between two notions of strong normalization: 
the one of a term in AJ and the one of its encoding in AES. While this proof can 
be a bit involved using traditional methods, quantitative types will make it very 
straightforward. Indeed, since quantitative types correspond exactly to strong 
normalization, we only have to show that a term t is typable exactly when its 
encoding is typable, for two appropriate quantitative type systems. 

For AES, we will use the following system [9]: 


Definition 5 (The Type System NES). 
Tj;a:Mttio 


—____—— (var) abs 
x:lo]Jka:o PPro ) 
(Ti M: oiher TALI rT-M:M>o A-N:#(M) 
(many) — (a) 
Merl; M : loijier TAAKMN:¢a 


T;4:MtM:o AFN:#(M) 
DAA [N/2]M : 0o 


(sub) 


Theorem 4. Let M € Teg. Then M is typable in NES iff M € SN(4B,s). 


A simple induction on the type derivation shows that the encoding is sound. 


Lemma 16. Lett €Ty. Then I lbayt:o0 = > I'lFags t* : oc. 
We show completeness by a detour through the encoding of Tgg to Ty: 


Definition 6 (Translation from Tegs to Ty). 


Pes (MN)° := M°(N°, 2.2) 
(Av.M)° := Ax.M° ({N/2]M)° := I(N°,2.M°) 
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The two following lemmas, shown by induction on the type derivations, give 
in particular that t* typable implies t typable. 


Lemma 17. Let M € Tes. Then I IFnags Mi: 0 => T IFnaz M°: a. 
Lemma 18. Lett €Ty. Then I lkay t° :0 = > Ilkast:o. 


Putting all together, we get this equivalence: 
Corollary 1. Lett € Ty. Then I lkayt:o0 4> T IFngs *:o0. 


This corollary, together with the two characterization theorems 3 and 4, 
provides the main result of this section: 


Theorem 5 (Faithfulness). Let t € Ty. Then t € SN(d8) 4> t€ 
SN (dB, s). 


6 Equivalent Notions of Strong Normalization 


In the previous section, we related strong d6-normalization with strong normal- 
ization of ES. In this section we will compare the various concepts of strong 
normalization that are induced on Ty by 8, d8, (8, p2) and (8,7). This compar- 
ison will make use of several results obtained in the previous sections, and will 
obtain new results about the original calculus AJ. 


6.1 ($-Normalization Is Not Enough 


We discussed in Sec. 2.2 about the unblocking property of m and p2. From the 
point of view of normalization, this means that T,[8] has premature normal 
forms and that SN (3) © SN (a8). To illustrate this purpose we give an exam- 
ple of a Ty-term which normalizes when only using rule 8, but diverges when 
adding permutation rules or distance. We write 2 the term ĝ° (8°, x.x), where 
6° = Ay.y(y, z.z), so that 2 4g N. Now, let us take t := w(u, w’.d°)(6°, x.x). 
Although this term is normal in T;[6], the second 6° is actually an argument for 
the first one, as we can see with a m permutation: 


t >r w(u, w. (8°, x.£)) = w(u, 0.2) := t 


Thus t >, t >, t’ which implies t ¢ SN (8, r). We can also unblock the redex 
in t by a po-permutation moving the inner Ax up: 


t >p (Ay-w(u, w'.y(y, z-2)))(0°, x.x) >g t 


Thus t >p, —>g t >, t' and thus t ¢ SN (8, p2). We get the same thing in a 
unique d6-step: t >a, t. 

In all the three cases, -strong normalization is not preserved by the permu- 
tation rules, as there is a term t E€ SN (8) such that t € SN(6,7), t SN (B, p2) 
and t ¢ SN (ap). 
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6.2 Comparison with G+ p2 


We now formalize the fact that our calculus T;[d6] is a version with distance 
of T;[8, p2], so that they are equivalent from a normalization point of view. For 
this, we will establish the equivalence between strong normalization w.r.t. da8 
and (3, p2), through a long chain of equivalences. One of them is Thm. 5, that 
we have proved in the previous section; the other is a result about o-rules in the 
A-calculus — which is why we have to go through the A-calculus again. 


Definition 7 (Translation from Tgs to T)). 
at :=g@ (At.M)*:=d2.M* (MNY := MËNË [N/a]M# := (Ac.M*)NE 
Lemma 19. Let M € Tres. Then M € SN(dB,s) => M*# € SN(B). 


Proof. For typability in the »-calculus, we use the type system S) with choice 
operators in [9], which we rename here MS. It can be seen as a restriction of our 
system NES to \-terms. Suppose M € SN(dB,s). By Thm. 4 M is typable in 
NES, and it is straightforward to show that M?# is typable in NS. Moreover, M’ 
typable implies that M* € SN (8) [9], which is what we want. 


For t € Ty, let tH := t*#. So, we are just composing the alternative encoding 
of generalized application into ES with the map into A-calculus just introduced. 
The A-term t- may be given by recursion on t as follows: 


ZL =2 (Ax.t)~ = Ax.t tlu y.r)H = (Ay. (Ay {yy /y}r yt? u 


Lemma 20. t- € SN(6,02) => tE SN(G, po). 


Proof. Because (-)- produces a strict simulation from Ty to Tą. More precisely: 
(i) if tı +g t2 then tI +3 t9; (ii) if tı 4p, te then tf 2, ty’. 


02 


Theorem 6. Lett € Ty. Then t € SN (B, p2) ifft € SN (ap). 


Proof. We prove that the following conditions are equivalent: 1) t € SN (8, p2). 
2) t € SN (aß). 3) t* € SN (dB, s). 4) t € SN(B). 5) t € SN (8,02). Now, 
1) = 2) is because >agC—>} p: 2) => 3) is by Thm. 5. 3) => 4) is by 
Lem. 19. 4) ==> 5) is showed in [13]. 5) ==> 1) is by Lem. 20. 


6.3 Comparison with 6+ 7 


We now prove the equivalence between strong normalization for d8 and for (8, 7). 
One of the implications already follows from the properties of the typing system. 


Lemma 21. Let t € Tj. Ift E SN (aß) then t € SN(6,7). 


Proof. Follows from the completeness of the typing system (Lem. 13) and sound- 
ness of NJ for (8,7) (Lem. 15). 
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The proof of the other implication requires more work, organized in 4 parts: 1) 
A remark about ES. 2) A remark about translations of ES into the AJ-calculus. 
3) Two new properties of strong normalization for (3,7) in AJ. 4) Preservation 
of strong (8, 7)-normalization by a certain map from the set Ty into itself. 

The remark about explicit substitutions is this: 


Lemma 22. For all M € Tres, M € SN (aB, s) iff M € SN(B,s). 


The translation _° in Def. 6 induces a simulation of each s-reduction step 


on Tgg into a 6-reduction step on T;, but cannot simulate the creation of an 
ES effected by rule B. A solution is to refine the translation _° for applications, 
yielding the following alternative translation: 


g i= ax (Av.M)° := Ax.M® 
(MN)? := I(N°,y.M° (y, z.z)) [N/x]M° := I(N*,2.M*) 


Since the clause for ES is not changed, simulation of each s-reduction step 
by a -reduction step holds as before. The improvement lies in the simulation 
of each B-reduction step: 


((Az.M)N)* = I(N°,y.(Ax.M°)(y, z.2)) +e I(N°,y.{y/£1} M°) =a ([N/z]M)° 
This strict simulation gives immediately: 
Lemma 23. For all M € Tas, if M° € SN (B) then M € SN (B,s8). 


We now prove two properties of strong normalization for (8,7) in AJ. Fol- 
lowing [10], SN’(6,7) admits an inductive characterization TSN (8,7), which 
uses the following inductive generation for T;-terms: 


truyr = £S | Axt | (Av.t)SS S ::= (u,y.r) 


Hence S stands for a generalized argument, while S denotes a possibly empty 
list of S’s. The definition of TSN (8, r) is given below. Notice that at most one 
rule applies to a given term, so the rules are deterministic (and thus invertible). 


u,r € ISN (B, T) t € ISN (6,7) 


eae Va) var) —————_———_ (lambda 
z € TSN (8,7) x(u,2z.r) ETSN (B, T) j Axt € TSN (8,7) vee 
t(u,y.rS)SEISN(B,r) — {{u/ax}t/y}rS © ISN(6,m) tue ISN(G,7) ida 
pr eta 
x(u,y.r)SS € ISN (8,7) (Az.t)(u, y.r)S ETSN (B, T) 


A preliminary fact is the following: 
Lemma 24. SN (8, T) is closed under prefixing of arbitrary n-reduction steps: 


t,t andt € SN(B, T) 
te SN(B, T) 
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Given that SN(8,7) = ZSN(8,7), the “rule” in Lem. 24, when written with 
TSN (8,7), is admissible for the predicate TSN (8,7). Now, consider: 
u,r ETSN (B, T) 
{y(u, z.z) /x}r ETSN (B, T) 


(J) 


{{{u/y}t/z}r/a2}r € TSN(8,7) t,u € TSN (8,7) x ¢ fv(t,u,r) q 
{(Ay.t)(u, z.r)/x}r € TSN (8, T) 


Notice rule II generalizes rule (beta): just take r = zS, with x ¢ S. 
The two new properties of strong normalization for (3,7) in AJ are contained 
in the following Lemma. 


Lemma 25. Rules I and II are admissible rules for the predicate TSN (8,7). 


We now move to the fourth part of the ongoing reasoning. Consider the map 
from Ty to itself obtained by composing (-)* : Ty 4 Tgg with (-)° : Tes > Ty. 
Let us write tt := ¢**. A recursive definition is also possible, as follows: 


r =r dat! = dwt! t(u, yv)? = T(t, yr T(ul, y2-{y1 (yo, z.2)/y}v')) 
Lemma 26. [ft € SN (8,7) then tt € SN(8,7). 
Proof. Heavy use is made of Lem. 24 and Lem. 25. 
All is in place to obtain the desired result: 
Theorem 7. Let t € Ty. t€ SN(d8) ifft © SN(B, T). 


Proof. The implication from left to right is Lem. 21. For the converse, suppose 
t E€ SN(6,7). By Lem. 26, tt € SN (6,7). Trivially, tt € SN (8). Since tt = t**, 
Lem. 23 gives t* € SN(B,s). By Lem. 22, t* € SN (dB, s). By an equivalence in 
the proof of Thm. 6, t € SN (a8). 


6.4 Consequences for AJ 


The comparison with AJ gives new results about the original AJ (a quantitative 
typing system characterizing strong normalization, and a faithful translation into 
ES) as immediate consequences of Thms. 3, 5, and 7. 


Corollary 2. Lett €T;. (1)t € SN(B, T) ifft is OJ-typable. (2) t € SN(8,7) 
iff t* € SN (dB, s). 


Beyond strong normalization, AJ gains a new normalizing strategy, which 
reuses the notion of weak-head normal form introduced in Sec. 3.2. We take the 
definitions of neutral terms, answer and weak-head context W given there for AJ, 
in order to define a new weak-head strategy and a new predicate ISN for AJ. 
The strategy is defined as the closure under W of rule 8 and of the particular 
case of rule 7 where the redex has the form n(u, x.a)9°. 


5 Notice how a redex has the two possible forms (Ax.t)S or n(u,x.a)S, that can be 
written as aS, that is, the form D,(Az.t)S of a weak-head redex in AJ 
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Definition 8. Predicate ISN is defined by the rules (snvar), (snapp), (snabs) 
in Def. 3, together with the following two rules (which replace rule (snbeta)): 
W(n(u, y.aS)) E€ ISN W({{u/x}t/y}r),t,ue ISN 


(snredex1) (snredex2) 


W(n(u, y.a)S) € ISN W((Az.t)(u,y-r)) € ISN 


The corresponding normalization strategy is organized as usual: an initial phase 
obtains a weak-head normal form, whose components are then reduced by in- 
ternal reduction. Is this new strategy any good? The last theorem of the paper 
answers positively: 


Theorem 8. Lett €Ty. tE ISN ifft € TSN (6,7). 


7 Conclusion 


Contributions. This paper presents and studies several properties of the call- 
by-name AJ-calculus, a formalism implementing an appropriate notion of distant 
reduction to unblock the 6-redexes arising in generalized application notation. 

Strong normalization of simple typed terms was shown by translating the AJ 
into the A-calculus. A full characterization of strong normalization was developed 
by means of a quantitative type system, where the length of dG-reduction to 
normal form is bound by the size of the type derivation of the starting term. An 
inductive definition of d6-strong normalization was defined and proved correct 
in order to achieve this characterization. It was also shown how the traditional 
permutative rule 7 is rejected by the quantitative system, thus emphasizing the 
choice of d$-reduction for a quantitative generalized application framework. 

We have also defined a faithful translation from the AJ-calculus into ES. 
The translation preserves strong normalization, in contrast to the traditional 
translation to ES e.g. in [4]. Last but not least, we related strong normalization 
of AJ with that of other calculi, including in particular the original AJ. New 
results for the latter were found by means of the techniques developed for AJ. In 
particular, a quantitative characterization of strong normalization was developed 
for AJ, where the bound of reduction given by the size of type derivations only 
holds for 8-steps (and not for 7-steps). 

Future work. Regarding call-by-name for generalized applications, this pa- 
per opens new questions. We studied a new calculus AJ, proposed as an al- 
ternative to the original AJ, but we also mentioned some possible variants in 
Sec. 2.2, notably a calculus based on rule (1), and 6 + p2 (used as a technical 
tool in Sec. 6). The first option seems to have the flavor of AJ whereas the 
8+ p2 option seems to have the flavor of AJ. It remains to be seen what are the 
advantages and drawbacks of the latter one with respect to AJ. 

Regarding call-by-value, we plan to develop the quantitative semantics in 
the presence of generalized applications, starting from the calculus proposed in 
[5]. Further unification between call-by-name and call-by-value with the help 
of generalized applications could be considered in the setting of the polarized 
lambda-calculus [4]. 
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Abstract. We study a family of modal logics interpreted on tree-like 
structures, and featuring local quantifiers 3*p that bind the proposition p 
to worlds that are accessible from the current one in at most k steps. 
We consider a first-order and a second-order semantics for the quanti- 
fiers, which enables us to relate several well-known formalisms, such as 
hybrid logics, S5Q and graded modal logic. To better stress these con- 
nections, we explore fragments of our logics, called herein round-bounded 
fragments. Depending on whether first or second-order semantics is con- 
sidered, these fragments populate the hierarchy 2NExP C 3NEXP C--- 
or the hierarchy 2AEXP).; C 3AEXPpo1 C +++, respectively. For formulae 
up-to modal depth k, the complexity improves by one exponential. 


1 Introduction 


From a traditional perspective, modal logics [10] are formalisms to reason about 
different modes of truth. However, another view consists of seeing these logics 
as computationally well-behaved fragments of first-order logic and second-order 
logic (see e.g., [1] for a discussion). Some examples of well-known modal log- 
ics with a good balance between expressivity and computational complexity 
are graded modal logic (GML) [5,28], whose satisfiability problem is PSPACE- 
complete; and the temporal logics LTL, CTL and CTL” whose satisfiability prob- 
lems are complete for PSPACE, Exp and 2ExpP, respectively [31,19,25]. 

A family of logics that elude this nice computational picture is that made 
of modal logics enriched with first-order or second-order propositional quanti- 
fiers dp, which update the set of worlds of a Kripke structure that satisfy the 
propositional symbol p. The literature of modal logics featuring quantification 
over propositional symbols can be traced back to [12,26,18]. All these works 
show that, in spite of the simplicity of the principle, propositional quantifica- 
tion leads to undecidability very quickly. One of the few exceptions is the logic 
S5Q, i.e. S5 enriched with second-order propositional quantifiers, which enjoys 
an exponential-size small model property, and is thus decidable [22,18]. Here, 
the success in finding a well-behaved framework for propositional quantification 
is due to the fact that S5 has a very restricted class of models. In modern lit- 
erature, the family of hybrid logics [2] is one of the most relevant approaches 
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offering first-order propositional quantification. Most hybrid logics provide oper- 
ators |i that binds the current world to the proposition 7, and @; that allows 
to jump to the world bound to i. This form of quantification is very expres- 
sive, and leads to undecidability over standard Kripke structures [3]. To regain 
decidability, one can restrict the logic to syntactical fragments that avoid the 
quantification patters Oļ and O{9, or restrict the interpretation to models in 
which each world has at most two successors [14]. Again, one can also simply 
consider S5 models: the hybrid logic with | and @ on S5 is known to admit an 
NExp-complete satisfiability problem [30]. 

Recent works shed new lights on the role of propositional quantifiers. From 
a model theoretical perspective, a revision about the different forms of propo- 
sitional quantification has been put forward in [9]. Novel algebraic insights on 
S5 with propositional quantification have been discovered in [17]. From a com- 
putational perspective, [6] shows that second-order propositional quantification 
is enough to obtain TOWER-complete (hence, non-elementary decidable, [29]) 
logics on tree-like structures. This last result is of interest, as the second-order 
logic QCTLY considered in [6] subsumes several other modal logics with forms of 
quantification “in disguise”, such as the aforementioned GML, as well as modal 
separation logics [16], ambient logics [13] and team logics [21]. However, when 
translated into QCTL%, the good computational properties of these logics are 
lost, and the TOWER-hardness of QCTLį prevents us to grasp the real capabil- 
ities of their (often restricted) form of propositional quantifications. 


Contributions. The overall message of [6] is that the computational power of 
propositional quantification in the context of modal logic deserves to be better 
understood. Driven by this message, we investigate from a unified perspective a 
family of logics interpreted on tree-like models, featuring a very intuitive form 
of propositional quantification: the local quantifier Ip, with k > 1 integer, 
that binds the propositional symbol p to world(s) occurring within distance k 
from the current point of evaluation. More precisely, we look at two families 
of modal logics: the family ML(A},), ML(42,),---, where ML(3¥,) extends the 
basic modal logic ML with the first-order local quantifier Jp binding p to ex- 
actly one world occurring within distance k of the current world; and the fam- 
ily ML(A,), ML(A2,),- ++, where ML(3%,) extends ML with the second-order local 
quantifier 3p binding p to a set of worlds occurring within distance k. 

As previously mentioned, in introducing these logics our aim is to better 
understand the similarities and differences between the various modal logics fea- 
turing propositional quantification, especially when it comes to their complexity. 
This analysis cannot be done using TOWER-complete logics like QCTLk, as finer 
complexity classes are required. In this sense, it is worth to notice that our 
framework features the logic ML(A33), whose quantifier 3° p binds p to arbitrary 
worlds reachable from the current one. This is exactly the logic QCTL. Because 
of this connection and of similarities with other frameworks, e.g. [7], we argue 
that even if we restrict ourselves to quantifiers 3} with small k, the complexity 
does not improve. In fact, ML(42,) is already TOWER-complete, although we 
defer this result to an extended version of the paper, due to the lack of space. 
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Consequently, to pursue our goal of a fine-grained analysis of the computational 
power of propositional quantification in modal logic, in this paper we focus on 
a syntactical restriction for ML(Ak,) and ML(A,) where the local quantifiers 
are round-bounded (Sec. 2). Roughly speaking, under the round-bounded con- 
dition, ML(Az,) and ML(3§,) formulae can be split into parts having k nested 
modalities. Quantifiers belonging to one part of the formula do not interact with 
quantifiers from other parts of the formula. The following results are established. 


Theorem 1. The sat. problem for round-bounded ML(A%,) is (k+1)NExP-com- 
plete. It is kKNEXP-complete for formulae of ML(A‘,) of modal depth k. 


Theorem 2. The sat. problem for round-bounded ML(Afq) is (k+1)AEXP poi- 
complete. It is kAEXPp i-complete for formulae of ML(A’,) of modal depth k. 


“——~ 


Here and along the paper, given natural numbers k,n > 1, we write t for the 
tetration function inductively defined as t(0,n) % n and t(k,n) = 2171, 
Intuitively, t(k,n) defines a tower of exponentials of height k. Then, kNEXP 
is the class of all problems decidable by a non-deterministic Turing machine 
running in time t(k, f(n)), for some polynomial f, on each input of length n; 
whereas KAEXPy ; is the class of all problems decidable with an alternating 
Turing machine [15] in time t(k, f(m)) and performing at most g(n) alterna- 
tions, for some polynomials f,g, on each input of length n. For all k > 1, 
KNExp C kAEXP yo; C TOWER, as we recall that TOWER is the class of all 
problems decidable with a Turing machine running in time t(g(n), f(n)) for 
some polynomial f and elementary function g, on each input of length n [29]. 
The lower bounds of Thms. 1 and 2 are established by reduction from suitable 
tiling problems (Sec. 3). The upper bounds are established by designing a quanti- 
fier elimination procedure that yields a (k + 1)EXPSPACE small-model property 
for round-bounded ML(4§,), and a KEXPSPACE small-model property for the set 
of formulae of ML(A%,) of modal depth k (Sec. 4). The round-bounded condition 
does not change the set of formulae of ML(4},) and ML(S},), and thus, as a 
corollary, we characterise the complexity of these logics: 


Corollary 1. (I) The sat. problem for ML(A},) is 2NEXP-complete. 
(II) The sat. problem for ML(Agq) is 2A EXP poi-complete. 


As promised, our framework yields a refined analysis on the power of proposi- 
tional quantification in modal logic, which we compare to previous known results 
in Sec. 2. Quite surprisingly, we show that, on tree-like models, modal logic en- 
riched with propositional quantifiers is as expressive as graded modal logic. More- 
over, we establish that S5Q is AEXP,,;-complete (refining the previous results 
from [22,18]), and that hybrid logic with | and @ on trees is TOWER-complete. 


2 Preliminaries 


The symbol N (resp. N+) denotes the set of natural numbers including (resp. 
excluding) zero, N denotes the set N U {oo}, where n < 00, 00 +n = œ and 
n mod œ = n for all n € N, and Ny = N \ {0}. We write |S| € N for the size of 
a set S. Finally, let AP = {p,q,r,...} be a countable set of atomic propositions. 
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Kripke structures. A Kripke structure is a triple K = (W,R,V) where W is 
a non-empty set of worlds, V: AP + 2” is a valuation, and R C W x W 
is a binary accessibility relation. A Kripke-style forest is a Kripke structure 
whose accessibility relation R is such that its inverse RT! is functional and 
acyclic. In particular, the graph described by K is a collection of disjoint trees, 
where R encodes the child relation. We write R(w) for the set of children of w, 
ie. {w € W : (w,w’) € R}. For i € N, Rô is the i-th composition of R: R? is the 
identity map on W, and Rit! = {(w,w’) E€ WxW: (w, w") € RË and (w”,w’) € 
R, for some w” € W}. For n,m € N, Rim SU" RI, and R* = Rll is the 
Kleene closure of R. For W' C W, V[p + W’] is the valuation obtained from 
V by updating to W’ the set assigned to p E€ AP. A pointed forest (K,w) is a 
Kripke-style finite forest K together with one of its worlds w. 


Modal logic with local quantifiers. For k € N written in unary, we introduce the 
modal logic ML(3*), whose formulae y, 7, x, etc., are from the grammar below: 


gv = T |p| eAv| -~ | Og | Ipp, — where pe AP. 


We call 3*p a local (existential) quantifier. We are interested in two interpre- 
tations for the logic ML(4*), one where the local quantifier J*p performs a 
first-order quantification, and one where it performs a second-order one. For 
simplicity, ML(4%,) (resp. ML(4%,)) stands for ML(A*) interpreted under first- 
order (resp. second-order) semantics. The basic modal logic ML is obtained by 
removing the constructor J*py from the grammar. 

Let (K, w) be a pointed forest, where K = (W, R, V). For formulae of ML(3‘,), 
the satisfaction relation } is defined as follows (Boolean cases are omitted): 


K,w |p < wEV(p); K,w lH yp > there is w € R(w) s.t. K, w = 9; 
K, w Ea*py & there is w € RI®*] (w) such that (W, R, VĪp + {w'}H), w H y. 


An atomic proposition p is said to be a nominal for (K, w) whenever |V(p)| = 1. 
Additionally, p is i-local whenever V(p) C R'(w). In particular, the first-order 
quantification J*py leads to y being evaluated in a pointed forest where p is 
an i-local nominal for some i € [0, k]. Given a nominal p, we call w € V(p) the 
world corresponding to p, and often denote it by wp. 

For formulae of the second-order logic ML(Ak,), the interpretation of the ML 
fragment remains as for ML(4%,), whereas we reinterpret the local quantifier as: 


K,w kK fpo = there is a set W C ROl(w) s.t. (W, R, Vp = W'J),w Kg. 


The contradiction L and connectives V, = and © are defined as usual. Below, 
let y and w be two formulae of ML(3¥). The local universal quantifier V' pp 
and the modality Oy are defined as —J* py and =O-y, respectively. We de- 
fine >°y & y, and given i € N, O’*1y = O*Oy. Similarly, Oty & =0*ay. We 
write Qiy for >’(pA¢). If p is a nominal, the formula @*y states that p is i-local, 


def def 


and that its corresponding world satisfies y. We define @°9 = y and By = g, 
and given i € N, tly Syv Op and Bitty SOA t p. We use the 
operator precedence {~, 0,0,34, V4, @Ż} < {A, V} < {>, ©}, and sometimes 


Modal Logics and Local Quantifiers: A Zoo in the Elementary Hierarchy 309 
write “:” after a local quantifier with the intuitive meaning that the formula 
on the right of “:” should be enclosed in brackets, e.g. 32p : p A% abbreviates 
+p (pA). Given i € N, we write [y +; x] for the formula obtained from ọ by 
simultaneously substituting with x each occurrence of the formula Y appearing 
under the scope of exactly i nested modalities. 

The length of p, denoted with |y|, is the number of symbols needed to repre- 
sent y. The modal depth md(v) of y is the maximal number of nested modalities 
occurring in y. We write bp(y) for the set of bound propositions of y, i.e. propo- 
sitions p that occur in a quantifier 3’p inside y. We say that y is well-quantified 
whenever each subformula 3" pw of y quantifies on a different p € AP, and every 
occurrence of p in ~ appears under the scope of at most k modalities. One can 
translate every formula into a well-quantified one at no cost: atomic proposi- 
tions can be renamed, and occurrences of a quantified atomic proposition that 
are under the scope of more than k modalities can be replaced with L. 

We write Y =ro Y (resp. Y =so Y) whenever y and w are equivalent under 
their first-order (resp. second-order) semantics, i.e. they are satisfied by the same 
pointed forests. When clear from the context or true under both semantics, we 
drop the subscripts and write y = w. Notice that Ip = J*+'p (y A D*t =p), 
and thus ML(3*) is a syntactical fragment of ML(3***), and it is able to express 
all the local quantifiers Itp ,..., 3fp. 


Round-bounded fragment. As discussed in Sec. 1, in this paper we focus on a 
syntactical restriction for ML(4") where the local quantifiers are round-bounded. 
The round-bounded formulae of ML(3*) are those generated from the symbol pë 
of the grammar below (j € N): 


gk ok =T | p| phage | =m | Oky | IO modh pot, where p € AP. 


In a round-bounded formula of ML(4*), quantifiers appearing under the scope 
of j modalities are restricted to S*~G ™4*) e.g, 33p93Fq I'r OB py is a 
round-bounded formula of ML(3%), provided that y is also in this fragment, 
whereas 3°pQ3%qy is not round-bounded. The round-bounded condition does 
not change the set of formulae of ML(3') and ML(A°%). Besides, every formula of 
ML(3°) of modal depth k is equivalent to a round-bounded formula of ML(3*), 
of similar size, since given a formula y of ML(I®), we have 3p = 374) py. 

Our framework of local quantifiers enables us to derive connections with other 
modal logics featuring some form of quantification, which we now briefly discuss. 


Graded modal logic. A logic that has been shown related to different forms of 
quantification is the graded modal logic GML [5], that extends ML with modalities 
O> (L € N), with semantics: K,w = Osey © Hw e R(w)|K,w' Eo} > 2 
GML has a tree model property, i.e., each of its satisfiable formulae is satisfied 
by a pointed forest. Then, by syntactically replacing each Q>ey occurring in 
a GML formula by 3!x;,...,x¢: Gs Nas @l =x;) A (Vo xi) > p), one 
shows that GML embeds in ML(A},). At this point, it is worth noting that, 
for all k € Nz, ML(A,) can be embedded into ML(A§,) by replacing, in a well- 
quantified formula of ML(3%,), each occurrence of 4p y with the ML(3%,) formula 
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A*p : p Aunigq,(p), where unig, (p) = @*pAV'q: &*(pAq) k(p => q) states 
that there is at most one world satisfying p that is reachable from the current one 
in at most k steps. Hence, ML(A£,) captures GML, and in fact the converse also 


holds, as we discover when proving Thm. 2. The corollary below is established. 


Corollary 2. For k € N}, ML(4%,), ML(Ak,) and GML are equally expressive. 


This result is surprising, as it implies that QCTL{ from [6] is as expressive as 
GML, and that in the context of modal logics, second-order propositional quan- 
tifiers do not yield any additional expressive power compared to first-order ones. 


Connections with S5Q. The sat. problem of S5Q [18,22] is equireducible to the 
sat. problem for formulae of ML(4$,) of modal depth 1. Briefly, any satisfiable 
formula of S5Q is satisfied by a Kripke structure (W, R, V) where R= W x W, 
and S5Q enriches ML with quantifiers 4p which, by virtue of the relation R, 
are essentially the quantifiers 4'p from ML(4{,). We can simulate the models 
of S5Q by using a pointed forest (K, w) with accessibility relation R’ such that 
R’(w) = W. The current world of the S5Q model is simulated with a 1-local 
nominal x for (K,w). Then, the translation 7 from S5Q to ML(3,) is simple: 
T(Qy) = S'x : Ox A unig, (x) A 7(y), binding the nominal x to a new world; 
T(p) = Q@!p, and otherwise T is homomorphic. A similar translation can be given 
from formulae of ML(4$,) with modal depth 1 to S5Q. Following Thm. 2, this 
allows us to characterise the complexity of S5Q left open in [18]. 


Corollary 3. The sat. problem for S5Q is AEXP yp i-complete. 


Connections with hybrid logics. Hybrid logics [3] are among the most studied 
modal logics featuring first-order propositional quantification. Given a set of 
nominals NOM C AP, the hybrid logic HL({,@) extends ML with the binder |i 
and the satisfaction operator @; (where 7 € NOM), having the semantics below: 


(W,R,V), w = lig & (W,R, Vi - {w}),w E y; 
(W, R, V), w = Gp & (W, R,V), wi H p, where V(i) = {ui}. 


ML(Sk,) embeds in HL(4,@) by replacing with |i.¢"|p.@;y each occurrence 
of Fp y appearing in an ML(3¥,) formula. This translation is (only) exponential 
in k, and so by uniform reduction for all k € N4}, and by Rabin’s theorem [27] 
for the upper bound, Thm. 1 implies the following result. 


Corollary 4. The sat. problem for HL({,@) on forests is TOWER-complete. 


3 Lower bounds for ML(3*,) and ML(3k, 


In this section, we establish the lower bounds of Thms. 1 and 2, which follow by 
reduction from the k-exp alternating multi-tiling problem. While we will intro- 
duce this problem in due time, the main difficulty in establishing the reduction 
is defining, for all k,n € N4 given in unary, a formula type(k,n) that, whenever 
satisfied by a pointed forest (K, w), forces w to have t(k,n) children, each of 
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p2 p2 p2 “p2 
pı “pı Pi “pı 
(3) 29) (1) (0) (mi(.)) (nx(.)) 

b b b ab > m(w) = 4 boss: b ab b > ney (w) = (1---101)2 


type(k — 1,n) worlds 


Fig. 1: Two worlds w and w’ satisfying type(1,2) and type(k,n), respectively. 
8 ying ty 


them encoding a different number in (0, t(k,) — 1]. To establish Thms. 1 and 2, 
it is essential that type(k,n) is of size polynomial in k and n, has modal depth 
k, it is in ML(S},) for k = 1, and is in round-bounded ML(3¥7*) for all k > 2. 
The formula type(k,7) is inspired by the homonymous formula defined in [6] to 
show that QCTL is TOWER-hard, and later adapted in [7] to modal separation 
logics. With respect to both these works, our definition of type(k,n) poses two 
serious challenges. First, [6,7] rely on second-order quantification, whereas we 
only use first-order. Second, in [6,7] the formula type(k, n) is of size exponential 
in k, whereas our formula is of polynomial size. To achieve both improvements, 
we rely on a novel gadget that simulates binary addition with carry. 


Numeric encoding. First of all, let us define how numbers are encoded by worlds 
of a pointed forest, following the presentation of [6]. Fix n + 1 distinct atomic 
propositions p1,...,Pn,0, and consider a Kripke-style forest K = (W,R,Y). 
Given j € [1,k] and w € W, we write n,;(w) for the number in [0,t(j,n) — 1] 
encoded by w. For j = 1, we represent ni(w) € [0,2” — 1] by using the truth 
values of the propositions pi,...,Pn, where the proposition p; is responsible 
for the i-th least significant bit of the number. That is, nj(w) = S*{2*"! : 
i € [1,n] and w € V(p;)}. For j > 1, the number n,(w) is represented by the 
binary encoding of the truth values of the atomic proposition b on the children 
of w, where a child w € R(w) with nj;_;(w’) = i from [0, t(j — 1,n) — 1] is 
responsible for the (¢ + 1)-th least significant bit of the number encoded by w. 
Formally, n;(w) = >>{2¢ : nj-1(w’) =i and w’ € V(b), for some w € R(w)}. 

With respect to this encoding of numbers, the forthcoming formula type(k, n) 
shall satisfy the specification given by the lemma below, which guarantees that 
in a pointed forest (K,w) satisfying type(k,n), the numbers encoded by the 
children of w span all over [0, t(k,) — 1]. This is illustrated in Fig. 1. 


Lemma 1. A pointed forest (K,w), with K = (W, R, V), satisfies type(k, n) 2 
1. for alli € [0,t(k, n)—1] there is exactly one world w’ € R(w) s.t. np(w’) = i; 
2. ifk > 1, then for every w E€ R(w), K,w' = type(k —1,n). 


Addition with carry. In defining type(k,n), the main challenge lies in how to 
express the condition (1) of Lemma 1. In [6,7], this boils down to the defini- 
tion of formulae that express (in)equalities between the numbers encoded by 
distinct w1,w2 E€ R(w), e.g. ng(w1) < ng(w2) or ng(wi) = ng (we) + 1. Unfor- 
tunately, these formulae are tree-recursive on k, meaning that multiple (possi- 
bly negated) occurrences of the inequalities for the case k — 1 are required to 
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Formula: | Expected Semantics: | Assumptions: 
0; n;(w) =0 The world w is the current world, which is assumed 
1; nj(w) =1 to satisfy type(j,n). The world wp corresponds to 
E; n;(w) =t(j,n) —1 | the i-local nominal p € {x,y,z,c}, and is assumed 


addi (x,y, z, c)| +k-i+1 (Wx, Wy, Wz, We) | to satisfy type(k — i, n). 


Fig. 2: Auxiliary formulae used in the definition of type(k,n), where i =k = 1l ori < k. 


define the inequalities for the case k. Overall, this induces an exponential blow- 
up on |type(k,n)|. To avoid this blow-up, instead of relying on these inequali- 
ties we consider a quaternary relation +,(w1, w2, w3, w4) that holds whenever 
ny (w1) +ng(we) = ng (w3) and nz (w4) represents the sequence of carries needed 
to perform n(w1) + nx (we) in binary, on t(k —1,n) bits. For instance, for 4-bits 
numbers nı (w1) =3= (0011)o, nı (w2) S= (0101)o, n;(w3) =8= (1000)> 
and n,(w4) = 14 = (1110)2, the tuple (w1, w2, w3, w4) is in +1, as 


0 : wa (sequence of carries of the sum) 
+:w 


corresponds to the table for the binary addition with carry of 3 + 5 = 8. By 
looking at the elementary algorithm for addition, a direct characterisation of 
+, is as follows. Let nz,(w,) = (£m ...£1)2, Nk(Ww2) = (Ym---Y1)2, nk(w3) = 
(2m +--+ 21)2, Me(wa) = (Cm---C1)2, where m = t(k —1,n), and zi, Yi, zi and ci 
are the i-th least significant digits in the binary encoding of n;(w1), nx (we), 
nz(w3), ng (wa), respectively. Then, +,(w1, w2, w3, w4) holds if and only if 


A. c; = 0 and at most one among Cm, Fm and ym is 1, 
B. for every i € [2,m], ci = maj(£i—1, Yi—-1, Ci_-1), (t) 
C. for every i € [l,m], zi = (xi ® yi) Oa, 


where maj(y, p, X) = (PAW) V (PAX) V (WAX) and pay = (pV y) Alpay) are 
the standard Boolean functions majority and exclusive or, respectively. When it 
comes to capturing +, with an ML(A£,) formula, the key property is that the 
conditions (A), (B) and (C) can be checked with first-order quantification, by 
going through the binary encodings of n;(w1), ng (w2), ng (w3) and nz (w4) bit by 
bit, as one would do to check if an addition with carry was performed correctly. 


A schema for type(k,n). We move to the definition of type(k,n). In view of 
its specification given in Lemma 1, the formula is defined recursively on k. For 
simplicity, we extend type(k,n) to k = 0, and define it as T. To express the 
condition (1) of Lemma 1, we rely on the auxiliary formulae presented in Fig. 2, 
which we later define. For k,n € N4}, we define type(k,n) as: 


type(k —1,n)AO0p A Qik A OER A 
VixvVly (Oy A @jay > J'zJ'c : Qc A GLA, A (addj,(x,z, y,c) V add;(y,z,x,c))). 


Whereas the first conjunct of type(k,n) clearly encodes the condition (2) of 
Lemma 1, the remaining part of the formula forces the condition (1) by saying 
that the current world w has three children encoding the numbers 0, 1 and 
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t(k,n) — 1, respectively, and that for every two children wx, wy of w, if wy 4 wy 
(subformula Oy A @!-y) then there is a child wz of w such that n,(wz) 4 0, and 
ng (wx) +ng (wz) = ng (wy) or ng (wy) + ng (wz) = ng (ws). Hence, in combination 
with 0k, Ol, and O£,, the last conjunct of type(k,n) not only states that 
distinct children of w must encode different numbers, but also that every number 
of [0, t(k, n) — 1] must be encoded by some child of w. 

To effectively construct type(k,n), what is left is to define the formulae 
in Fig. 2. Given how the numbers n;,(.) are encoded, the definitions of 0%, 1, and 
Ep are simple. For the case k = 1, we define 0; = Ajer7Pis 11 = (pi A N;=27P5) 
and £ # Nj=1P5 For k > 2, we define instead: 0, “= O-b, 4, = O(b > 0k—1), 
and £, “ Ob. The main difficulty lies in how to define addi, which requires a 
recursive definition. Below, we consider three cases. First, we consider the base 
case i = k = 1 and define add} by only using the local quantifiers 3!. After- 
wards, we consider the case 1 < i < k — 1 and define the formula addi, by using 
local quantifiers J',...,3*~!. This formula relies on the definition of addi", 
which we assume to be defined by inductive reasoning. Lastly, we consider the 
only remaining case of i = k — 1, and define add! by using quantifiers 3471 
and 3!, and without relying on the definition of add}. This case is left for last 
as it is somewhat more involved than the other two cases, and some ingenuity is 
required to define addt—* without relying on the local quantifiers 4*. The ad-hoc 
treatment of this case is however fundamental, as it leads to type(k,n) being a 
round-bounded formula of the logic ML(4k5'), for every k > 2. 


Case: i = k = 1. Recall that the numbers nj,(.) are encoded using the truth 
values of p1,...,Pn € AP. Then, add} simply follows the constraints (+) of +1: 


d 


add} (x, y; 2, c) = @7p1 A Netra (@ipn > Aretay.c}\{q}Or7Pn) (A) 
A Nic (Qipi & maj(@zpi-1, @ypi-1, @ipi-1)) (B) 
A Nin (@zp: © ((Gxpi © @;pi) ® @zpi)) (C) 


Case: 1 < i < k — 1. To define addi., we assume by inductive reasoning that 
the formula addi"! is correctly defined, following its specification in Fig. 2. We 
specialise addj,** to define the two auxiliary formulae below: 


eq (x, y = az, c: Otte A QZH! Oi A add," (y, Z,X,C); 
succi! (x,y) = Jz, c : OMe A Git 1p; A addit! (y,z,x,¢). 


Given x and y be two (i+1)-local nominals for (K, w), with corresponding worlds 
Wwy and wy, if K, w' H type(k — i, n) for some w’ € R’(w), then: 


— K,w & egit! (x,y) if and only if ng—:(wz) = mg_i(wy); 

— K, w & succi"! (x, y) if and only if nk—i(wx) = ng—i(wy) + 1. 

Notice that the semantics of succi! and eq"! is given under the hypothesis 
that a world in R’(w) satisfies type(k — i, n). This extra hypothesis ensures 
that the local quantifiers 3’+!z and Jitte used to define sucht! and egi"! 
quantify over a set of worlds encoding all the numbers in [0, t(k—(i+1), n)—1], 
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so that no possible addition with carry is missing. In defining addi (x,y, z,c), 
this hypothesis is clearly satisfied, as the worlds corresponding to the 7-local 
nominals x, y, z and c are assumed to satisfy type(k — i, n). 

By relying on sucht! and egit, we define addi, (x,y,z, c) again by following 
the characterisation (t) of +,—i+1, as shown below (where X = {x,¥, ¢}): 


viti, y,Z,c, g : @Ox A Qoy A @LOZ A @L(OTA Og) > 
i x y z c 
(A) QE (04-6 78) A (Aex B) > Aex (5 > Aera O) 
(B): A (egy la) A egg (7, ©) A succi! (g, €) > (Qib e maj(@i*b, arts, @it'p))) 
(C): A (egit*(a,9) A egitG,2) A egit (zT) > (Otto © (aib e atto) o atto). 


The first line of addi, binds the propositions X, y, Z, and € and g to children of x, 
y, z and c, respectively. Afterwards, the formula follows closely the constraints 
in ({). For instance, the last conjunct characterises the condition (C) by saying 
that whenever we consider children wz, wy, wz and ws of wy, Wy, Wz and we 
respectively, if j = mg_i(we) = Mg—u(wy) = Ne—i(wz) = Mp_i(we) for some 
j EN, then ng(wz)[7] = ((m2(wx) [J] © m2(wy)[7]) © m2(we)[J]), where na(w)[j] is 
the (j + 1)-th least significant digit of the number encoded by a world w. 


Case: i = k — 1. To complete the definition of addi,, what is left is to define 
add! by only using quantifiers 3*~1 and J!. Below, the worlds wx, wy, wz and 
We, corresponding to the (k—1)-local nominals x, y, z and c, satisfy type(1,n), 
and so accordingly with no(.) they encode a number by looking at the value of 
the proposition b in their children, which themselves encode a number nj,(.). To 
properly define add% (x, y,z,c), we rely on the fact that these children encode 
n-bits numbers, with n given in unary. Then, instead of employing a quantifier 
J% to refer to one of these children, we can rely on n + 1 local quantifiers 3%7t 
to copy the values of pı,...,ÐPn and b of a child directly on its parent. For 
instance, to check if w, and wy have children encoding the same numbers and 
equisatisfying b, one can follow the steps below, also sketched in Fig. 3: 

1. using 3*-!, we quantify over fresh propositional symbols r¥,...,r¥ and qy, 
with v € {x,y}, to modify the truth of these symbols on wy and wy; 

2. using @*-!, we move the evaluation point to wx. We check that the truth 
of the propositions rj,...,7%, qx On Wx is mirroring the truth of p1,...,pn,b 
on a child of wx. For this, we rely on the formula copy((r{,...,7*), dx) that, 
for an n-tuple of atomic propositions r = (r1,...,7n) and q € AP, is defined 
as: copy(r, q) = Itu : Qu A (q & Gib) A Aj, (i & @ip;). This step is also 
done (in parallel) for wy, by relying on copy((rj,...,Tn); qy); 

3. with respect to the initial point of evaluation w, we check that the truth of 
the propositions rf,...,7%, qx on Wx corresponds to the truth of r},...,77%, dy 
on wy, ie. @E-1g, + GF-lq, and G-'r? = @F-Irf, for all i € [1, n]. 

This idea of copying information about children of wx, wy, wz and we directly 


in these four worlds is at the base of our definition of add¥7', which we now 
formalise. Similarly to n;(.), for an n-tuple of symbols r = (r1,...,7n), nr(w) = 
So{2*-1 i € [1, n], w € V(ri)} stands for the n-bits number encoded by the world 


w by looking at the truth values of r1,...,r,. Given a second n-tuple of atomic 
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Fig. 3: Steps to check if two children of wx and wy encoding the same n;(.) equisatisfy b. 


propositions s = (s1,...,8,), we introduce the formulae succ(r@x,s@y) © 
Vie (GE AGE aA Ajay (GE 141 AGE-18, AA 34 (@E 17; & @F-15;)) 
and eq(r@x,s@y) = /\j_,(@-!r; = @F~1s,), having the following semantics: 

— K,w | eq(r@x, s@y) if and only if n, (wx) = ns(wy); and 

— K,w [= succ(r@x, s@y) if and only if n, (wx) = ns(wy)+1. 
The correctness of succ(r@x, s@y) follows from standard arithmetical properties: 
for two n-bits numbers a and b represented as binary bit vectors with most 
significant digit first, a = b + 1 holds iff a = c10 and b = c01 hold for a prefix 
c € {0,1}* and bit vectors of same length 0 € {0}* and 1 € {1}*. 

The definition of add} ~'(x,y,z,c) is given below, where X @ {x,y,c} and 

for v € {x,y, z,c, g}, ry = (r¥,...,7%) and V*—"n, is short for V¥- 4? ...yEiry, 


men 
Wed ys, qx, Yy, qy Tz; qz, Tc; qc, Tg, Qg : Nvetayzcp Oe Copy(ty, qv) A^ QE! copy(rg, dg) = 
(A):  @k-IO(o > =b) A Mex OE Ab) => Arex\{q}@r (E£ = 70)) 
(B): A (eq(rx@x, ry@y) A eq(ry@y,rc¢@c) A succ(rg@c, r,Q@c) 
= (@F-1¢, & maj(@F-" gz, GF" gy, @F14-))) 
(C): A (eq(rx@x, ry@y) A eq(ry@y,r,@z) A eq(r,@z,r-@c) 
> (Qk-1¢. > (Qf tqx 7) aiig) @§~1qc))). 


Notice that this formula first quantifies over fresh atomic propositions ry and 
qv, with v € {x, y, z, c, g} CAP, so that the worlds wx, wy, wz, Ws copy the truth 
of p1, .-.,Pn and b of some of their children w.r.t. the fresh atomic propositions 
(see subformula Avery y z,c} GY copy(ty, qv) A @f~*copy(rg, dg). Afterwards, 
the formula follows very closely the constraints (f) of +2. 

By induction on i, we show that addi, respects the specification from Fig. 2. 


Lemma 2. Let (K,w) be a pointed forest, and x, y,z,c be four i-local nominals 
for (K,w), with corresponding worlds wx, Wy, Wz and we. IfK, wp = type(k—1, n) 
for every p € {x,y, z,c}, then K, w H add}(x, y, z,c) iff +k-i+1 (Wx, Wy, We, We). 


Making addi, polynomial. At this stage, addi, (i < k — 1) has size exponential 
in k, as it is recursively defined using multiple occurrences of addit! (appearing 
inside egit! and succitt), However, all these occurrences have the same polarity, 
i.e. they all appear positively in the antecedents of the implications for the 
conditions (B) or (C). This property allows us to rely on a recursion trick by 
Fisher and Rabin [20] to obtain a polynomial size formulation of addj,. In a 
nutshell, given a first-order formula y(x) free in the tuple of variables x, the 
trick consists in rewriting Y = (y) A (z) as Yx : (x = y Vx = Z) > y(x), so 
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that the size of y becomes only |y(x)| plus a constant, instead of being roughly 
twice |y(x)|. In a similar way, one can treat arbitrary formulae, as long as all 
occurrences of y(x) have the same polarity, as it is the case of addit'. The 
(simple) manipulation of the formula addj, using this trick directly leads to a 
definition of type(k,n) of size polynomial in k and n. 


Multi-tiling. The definition of type(k, n) provides the key technical step required 
to show the lower bounds of Thms. 1 and 2. Using this formula, both theorems 
can be proved by suitable reductions from the k-exp alternating multi-tiling 
problem (kAMTP), as we now briefly discuss. 

A multi-tiling system P is a tuple (T, To, Tace, H, V, M, n) where T is a finite 
set of tile types, To, Tace C T are sets of initial and accepting tiles, respectively, 
n € Nx (written in unary) is the dimension of the system, and H,V,M C 7 xT 
are the horizontal, vertical and multi-tiling matching relations, respectively. 

Fix k € N}. We write X for the set of words of length t(k,n) over an al- 
phabet X. The initial row I(f) of a map f: [0,t(k,n) — 1]? > T is the word 
f (0,0), f(0,1),..., f(0, t(k,n)—1) from T.A tiling for the grid [0, t(k,n)— 1}? is 
a tuple (f1, fe,.--,; fn) such that, for all £ € [1, n], the following conditions hold: 


maps. fe: [0,t(k,n) — 1]? > T assigns a tile type to each position of the grid; 
init & acc. I(fz) € To, and fn(t(k,n) — 1,9) € Tace for some 0 < j < t(k,n); 
hori. (feli, j), feli +1,7)) € H, for every i € [0, t(k,n) — 2] and 0 < j < t(k,n); 
vert. (feli, j), feli, j +1)) € V, for every j € [0, t(k,n)— 2] and 0 <i < t(k,n); 
multi. if £ < n then (feli, j), fe+1(i, j)) E M for every 0 < i,j < t(k,n). 


The kAMTP takes as input P and a quantifier prefix Q = (Q1,--- ,Qn) € {3,Y}”, 
and accepts whenever the statement “Qw € To ...QnWn E T : there is a tiling 
(fi,---> fn) of [0, t(k, n) — 1]? s.t. I(fe) = we for all £ € [1,n]” is true. 

The AEXP,,;-completeness of kAMTP for k = 1 can be traced back to [11]. 
The proof therein is independent from the size of the grid, and can be eas- 
ily adapted to show KAEXP,,;-completeness for arbitrary k (see [24] for a self- 
contained presentation). The problem is kNEXP-complete if we fix Q to only con- 
tain existential quantifiers. For the lower bound of Thm. 1, we reduce kAMTP on 
instances with Q € {4}" to the sat. problem of ML(3,), so that the translation 
produces a formula of ML(44,) of modal depth 1 for the case k = 1, and otherwise 
a round-bounded formula from ML(3%,') of modal depth k. For Thm. 2 we get 
a similar reduction, from instances of the kAMTP with arbitrary Q to ML(A%,). 

The first step is to define an ML(4%,) formula grid(k,n) that, when satisfied 
by a pointed forest (K, w), forces the children of w to encode every position in 
the grid [0, t(k,n) — 1]?, together with a formula tiling(k,P) that characterises 
the various tiling conditions. Fortunately, both these formulae can be defined as 
in [7], modulo very minor changes. Briefly, each child w’ of w shall encode a dif- 


ferent pair of numbers (n¥ (w'), n¥ (w')) representing a position in the grid. The 


number of bits required to represent nj‘(w’) and nY(w’) is the same as n,(.), 
which allows us to define grid(k, n) by slightly updating type(k, n). In particular, 


nj(w’) and nY(w’) can be encoded requiring w’ to satisfy type(k — 1,n), and by 
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using fresh symbols p%,..., př, b™ and p),...,p’, bY to encode (n##(w’), n¥ (w')). 


For k = 1, the horizontal position is n% (w) = {2°71 : i € [1,n] and w’ € V(p?*)}. 
For k > 2, n#(w’) #542 : dw” € R(w’) s.t. np_1(w””) = i and w” € V(b")}. 
The vertical position n¥ (w’) is defined in a similar way. Notice that, in the case 
of k > 2, n% (w) and n¥(w’) are defined in terms of ng_1(w’’), and thus using 
the t(k — 1,n) children of w’. For tiling(k,P), we see each tile type t € T as 
an atomic proposition, and consider n distinct copies t®,...,t™® € AP of it, 
so that the maps fi,..., fn can be encoded using just the set of worlds forced 
by grid(k,n). In particular, for every i € [1,n], each child w’ shall satisfy exactly 
one proposition in {t : t € T}, encoding the fact that f;(n}4(w’),n}?(w’)) = t. 

Following the above specification, the toolkit of formulae in Fig. 2 can be eas- 
ily adapted to express properties of the horizontal and vertical positions encoded 
by a world, leading to the definition of grid(k,n) and tiling(k, P). For instance, 
given G € {H,V} and » € {0k, 1k, Ex} we define the formula yŪ as follows: for 
k = 1weset y © yp; <o pS : i € [1, n]], and for k > 2 we set yF = y[b +, 6°). 
Then, w’ satisfies the formula 1% A 0Y whenever (n? (w'), n¥ (w')) = (1,0). 
Lemma 3. The ML(A%,) formula grid(k,n) A tiling(k,P) is satisfiable if and 
only if kAMTP accepts on input (P,Q), with Q € {F}”. 


For the lower bound of Thm. 2, it remains to show how to capture in ML(3,) 
the arbitrary prefixes of quantification Q = (Qi,...,Qn) of KAMTP. Compared 
to [6,7], novel machinery is required to perform this step. As ML(44,) captures 
ML(Ak,), we now see grid(k,n) and tiling(k, P) as formulae of ML(3%,). For each 
tile type t € T, we consider an additional set of copies t("t+)),...,t@”) € AP. We 
also define t & (©, we by D, where T = {t1,..., tr}. We use the propositions 
in t+’) to simulate the quantifier Q;, which we recall quantifies over the possible 
initial rows I(f;) € To of the map fi. If Qi = J, we simulate this form of 
quantification with the following shortcut, parametric on ¢y: 


Eilg) EIOH : p ADR => Vien EH A Asertey 78°"). 


— 


Here, the last conjunct states that each world encoding a position (0,7) of the 
grid, for some j € [0,t(k,n) — 1], satisfies exactly one proposition t®+® with 
t € To. For Qi = VY, we just define A;(y) “ —E;(-~). Then, the prefix of 
quantification Q is captured by Q(y) = Qi(Qo(.--Qn(v))), where Qi(y) = 
Elo) if Qi = 3, else Qi(y) = Ai(y). In deciding whether K, w = Q(v) holds for 
a pointed forest (K, w) satisfying grid(k,n), the satisfaction of ọ is checked w.r.t. 
a model where each world encoding a position (0,7) of the grid satisfies exactly 
one t+) with t € To, for all i € [1,n]. In terms of tilings, this corresponds 
to having set the initial row I(f;) € To of each of the maps fi. We now want 
to tile the remaining part of the grid by finding a suitable instantiation for y. 
To do so, we quantify over all t®,...t™®, searching for an arrangement of 
these propositions that satisfies tiling(k,P) and such that, on worlds encoding 
a position (0,7) of the grid, the satisfaction of propositions in t® mirrors the 
satisfaction of the corresponding propositions in t("+”, In formula: 


tiling(k, P) = Pt, ...,6) : tiling(k, P) AO(H > AL, Vie (tt = t+). 
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Lemma 4. The ML(3%,) formula grid(k, n)\Q(tiling(k, P)) is satisfiable if and 
only if kAMTP accepts on input (P,Q). 


Round-boundedness. In defining type(k,n), we made sure to respect the fol- 
lowing round-boundedness condition: type(1,n) has modal depth 1 and belongs 
to ML(A},), whereas for every k > 2, type(k,n) is a round-bounded formula 
of ML(S%,') of modal depth k. The same holds for grid(k,n), tiling(k,P) and 
Q(tiling(k, P)). Then, Lemmas 3 and 4 imply the lower bounds of Thms. 1 and 2. 


4 Upper bounds via a small-model property for ML(3£, 


In this section, we establish the following small model property. 


Proposition 1. Each satisfiable round-bounded formula p in ML(A%q) is satis- 


fied by a pointed forest with t(k+1, O(|y|)) worlds. Each satisfiable p in ML(Ak,) 
with md(y) < k is satisfied by a pointed forest with t(k,O(|y|°)) worlds. 


As the logic ML(A,) captures ML(3%,), Prop. 1 transfers to the latter logic. 
With this result at hand, the upper bounds of Thm. 1 and Thm. 2 easily follow. 
Consider a round-bounded formula y of either ML(A%,) of ML(#,) (the argu- 
ments for a formula of modal depth k are similar). First, we guess a pointed 
forest (K, w) with bounds as in Prop. 1. This can be done in (k+1)NExp. Then, 
we check whether (X, w) satisfies y. For ML(A£,), by seeing this logic as a frag- 
ment of monadic second-order logic, this can be done in polynomial time in the 
sizes of (K, w) and ọ by using an alternating Turing machine that performs || 
many alternations. As (K, w) has (k+1)-exponential size with respect to |y|, the 
whole algorithm runs in (k+1)AEXP,;. For ML(4%,), we rely on the fact that 
there is a deterministic algorithm for the model checking problem of first-order 
logic that runs in time O(|y|-M!*!) where M is the size of the model. From the 
bounds on (K, w) we conclude that the procedure for ML(Ax,) is in (k+1)NExp. 

Prop. 1 is shown through a quantifier elimination (QE) procedure that trans- 
lates every formula of ML(4,) into an equivalent formula from GML, establish- 
ing Cor. 2 as a by-product. Without loss of generality, in this section we extend 
ML(3g,) with graded modalities 0>;y, with j € N given in unary, and see the 
modality > as a shortcut for O>1. Recall that a GML formula >; can be 
represented with an ML(3&,) formula of size O(j + |p|) (Sec. 2). 


— 


Parameters of a formula. Fig. 4 introduces a set of parameters for a ML(A§, 
formula y, which we rely on to establish Prop. 1. For instance, for p = (pVO>3r) 
(qVO>50>2q) we have ap(1, y) = {r}, gsf(0, p) = {O>3r, O>50>2g}, msf(1, p) 
{r, O>2q}, gsf(1, Y) = {O>2¢}, gr(0,y~) = 5 and bd(0, p) = 8. Note that every 
GML formula ọ is a Boolean combination of formulae from ap(0, p) U gsf(0, 9), 
and for every d € N, bd(d, p) < gr(d, p) - |msf(d + 1, )|. 

For a set of formulae ® = {y,...,¢n}, we define C(®) to be the set of 
all complete conjunctions of possibly negated formulae of &. Formally, C(@) = 
{V1 A+++ An : for all i € [1,7], yi E (yi, 7yi}}, and we fix C(@) = {T}. Given 
P Cfin AP we refer to the formulae in C(P) as p4, py,---- 


wa 


| > 
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d, p) : set of atomic propositions of y in the scope of exactly d graded modalities. 
gsf(d, p) : set of subformulae >>; of p, in the scope of exactly d graded modalities. 
d, p) :set of maximal subformulae of p in the scope of d graded modalities: 
msf(0, p) = {p}, and = € msf(d + 1, p) iff Os; E gsf (d, p) for some j € N. 
gr(d, p) : largest j € N such that either j = 0 or >; E gsf (d, p), for some w. 
bd(d, p) : for d = 0 and let gsf (0, p) = {0>;1 Y1,- -, 055, Vn}, bd(0, p) É ji ++ jn. 
For d > 1, bd(d, p) @ max {bd(d — 1, 4%) : Y € msf(1, y)}. 


Fig. 4: Parameters of an ML(3*) formula ¢ (d € N). 


Normal forms. We introduce a set of normal forms that are used by our QE 
procedure. An ML(3%,) formula y is in prenex normal form if it is of the form 
QipiQ2p2--.QnPnv where Q; € {3*,V*} and w is in GML. If ~ is instead in 
ML(A&,) but all quantifiers are under the scope of at least k modalities, we 
say that y is in prenez normal form up to k. An ML(A§,) formula y is in prenex 
round-bounded (p.r.b.) form if p is round-bounded and, for all 7 € N, all formulae 
in msf(i-k,p) are in prenex normal form up to k. E.g., given a p.r.b. formula 
w in ML(A2,), 32p 32qO07?r y is in p.r.b. form, while 4?pO3'qO3’r Y is not. 
Thanks to the equivalences below one can translate each round-bounded formula 
y of ML(AK,) into an equivalent well-quantified p.r.b. formula of size O(|y|): 


03 -lpy = 3p dy, F¥-1p y =s Ip Oy, for k > 2. (t) 


Similarly, every y in ML(A§,) of modal ian at most k can be translated into 
a well-quantified prenex formula of ML(4%,) having size O(|y|). Notice that the 
second equivalence in (t) only holds on pointed forests and for the logic ML(A,). 
It does not hold for arbitrary Kripke structures, nor for ML(3%,). 

Our QE procedure translates each formula of ML(A%,) into a GML formula 
in disjoint normal form (called good formulae in [23, Def. 8.5]) for which it is easy 
to estimate bounds on the size of the smallest satisfying pointed forest, if any. We 
say that a set {y1,...,n} of formulae in GML is a disjoint set over P C fin AP 
whenever for all i,j € [1,n], we have p; = p; ^ qi and pj = pj A Yj, where 
Pis Pj E€ C(P), ap(O, JAP = ap(0, 7) NP = Ø, and either yi = yj or (yi^) =L. 
By taking p; and p; up-to commutativity and associativity of A, a disjoint set 
over P is also a disjoint set over any P’ C P. We say that y is in disjoint normal 
form (DisjNF) if for every d € [0, md(w)], msf(d, p) is a disjoint set over Ø. 


Proposition 2 ([23], Lemma 8.7). Each satisfiable GML formula y in DisjNF 
is satisfied by a pointed forest with at most (maxgen(bd(d, y)) + 1)™*) worlds. 


To translate a well-quantified p.r.b. formula y from ML(44,) into a GML 
formula in DisjNF, we consider the largest i € N for which msf(i - k, p) is non- 
empty, and inductively translate, for each j = i,i —1,--- ,0, all formulae in 
msf(j - k,p) into equivalent ones in GML. At each of these i + 1 rounds, the 
following two steps are applied at most k times: 

1. Let £ = min{r € N, : all formulae of msf(j - k, p) are in ML(A%,)}. We up- 
date all Y € msf(j-k, p) so that msf (£, Y) becomes a disjoint set over bp(w). 

2. By manipulating all quantified propositions of the formulae in msf (£, Y), we 
translate 7 into a formula of either GML (if £ = 1) or ML(A%>') (if £ > 2). 
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At the end of the round, msf(j - k, p) solely contains GML formulae in DisjNF, 
and the next round considers the set msf((j7—1)-k, y), that now contains ML(3%,) 
formulae in prenex normal form. The QE procedure has thus three key steps, 
which we now formalise: (I) manipulating a formula y so that msf (j, y) becomes 
a disjoint set, (II) eliminating the quantifier 3! obtaining a formula from GML, 
and (III) reducing the elimination of 3’ to the elimination of 3°~! (for ¢ > 2). 


Step (I): making a single set disjoint. Let j € Ny and P Cf, AP. We show how 
to transform a GML formula ọ into an equivalent formula w such that msf(j, Y) 
is a disjoint set over P. Two strategies are possible, which will be combined and 
carefully chosen in order to obtain the bounds required by Prop. 1. 

The first strategy considers the set S = C(P U ap(j, p) U gsf (j, ~)), which is 
disjoint over P (and so over Ø), and rewrites ọ into an equivalent formula a with 
msf (j, Y) C S. Consider y E€ msf (j, p). By definition of C(.), Vy cs x is a tautol- 
ogy, and since y is a Boolean combination of formulae in ap(j, Y) U gsf (j, p), for 
all x € S the formula y^ x is equivalent to either L or x. Then, y = Ve er X for 
some T C S. Notice that y € msf(j,y) holds if and only if O>;7 € gsf - 1,9), 
for some i € N. By relying on the equivalence of GML 


O>i(x1 V X2) = Vee (Osi,X1 A O>i2X2); whenever y1 A X2 =, 


we rewrite )>;7 into a Boolean combination of formulae >; with i’ < i and 
x € T CS. These steps are applied to all the formulae in msf(j, p). 

The second strategy is as follows: for each y € msf(j,y) and p € C(P), let 
Vp = [po v: v € {T, L}, p€ P, and v = T iff p occurs positively in p]. No- 
tice that ap(0,7)) 9 P = Ø. As p gives a polarity to all propositions in P, 
we have p Ay = pA Yp. Set T = C({yp : y € msf(j, p), p € C(P)}). Consider 
S’ = C(P U T), which is a disjoint set over P, and replay the arguments used for S 
in the first strategy to rewrite y into an equivalent formula ~ with msf (j, Y) C S’. 

While both strategies keep most of the parameters of Fig. 4 unchanged (one 
exception being ap(j, Y) C ap(j, p) UP), they yield profoundly different bounds 
on the size of msf (j, Y). Because of the definition of S, from the first strategy 
we obtain |msf(j, 7)| < 2IPI+lapG.")|+ les.) where we highlight the exponential 
dependence on |gsf(j, p)|, and thus on the number of outermost graded modal- 
ities appearing in formulae of msf (j, p). From the definition of S’, the second 
strategy yields |msf(j,~)| < 2!PI+2"""Imsf(i,")I_ Here, |msf(j, Y)| does not depend 
on gsf(j,y), but it is doubly exponential in |P|. Remarkably, in both strategies 
gsf (j, Y) C gsf (j, p), thus if msf(j+1, p) is a disjoint set over Ø, so is msf(j+1, Y). 
This property is essential, as it allows us to bring the full formula in DisjNF. 


Step (II): eliminating 4+. Given a well-quantified formula y = J'py’, where vy’ 
is in GML and msf(1,y) is a disjoint set over P, and p € P, it is quite easy to 
eliminate the quantifier J'p and produce a formula wy in GML equivalent to y 
and such that msf(1,w) is a disjoint set over P \ {p}. We sketch here the main 
points. First, from standard axioms of propositional calculus and by distributing 
J!p over V, we obtain a representation of y as a disjunction of formulae of the 
form J'p(p A y) with p € C(ap(0,~)) and y € C(gsf(0,~)). We eliminate the 
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quantifier J! from every such disjunct J!p (p A y). Below, let x be an arbitrary 
formula with p ¢ ap(0, x). First, using the equivalences J!p (pA x) =so S'p x and 
Ap (=pAx) =so Itp x, we get rid of the occurrences of p in p, obtaining a formula 
p’ € C(ap(0, p) \ {p}). Next, we remove p from y thanks to the equivalences: 


F'p : O>i(PAX) A zP X) =s O>i+sX; 

Jp :-O>i(pAx) A> (APA x) Ss0 7O>i4+j-1X- 
We obtain a GML formula y’ such that 3'p (pA) =so p' ^Y. Size-wise, Step (II) 
preserves all the parameters of Fig. 4 except gr(0, Y) < 2 - gr(0, p). 


Step (III): from 3**+ to 3}. Consider a well-quantified ML(A%,) formula g’ hav- 
ing all quantifiers appearing outside the scope of graded modalities, and with the 
set msf(k +1, g’) disjoint over P. Given p € P, we translate y = S*+!py’ into an 
equivalent well-quantified ML(4£,) formula 7 having all quantifiers outside the 
scope of graded modalities, and with the set msf(k + 1, y) disjoint over P \ {p}. 
This is done by replacing 3*+!p with multiple J*. The first step is to single 
out the occurrences of p under the scope of k+1 modalities by replacing them 
with a fresh symbol p and splitting I¥ttp into 3*p and J*t+!p. We get Y =so 
Itp IHP y" where y” = g'[p x41 P]. Let gsf (k, p”) = {02k X1; -+ -o O>knXn}- 
From the properties of y’, no proposition from bp(y”) appears in the GML for- 
mulae X¥1,..-, Xn. Using fresh propositions q1,...,@n, we rewrite y as 


ap SPD Fq, qn 20" Osa He qi: 1 <i Sn) AD Ayala S Ose). 


Essentially, the subformula O*A; 1 (qi @ O>k;Xi) constraints each q; to be 
true in exactly those worlds satisfying O>x%,xi. This allows us to replace with 
qi all occurrences of )>x%,Xi appearing in Y” under the scope of k modalities 
(first conjunct of the formula above), without changing the semantics of y. By 
definition, y’"[Osn,Xi <r qi : 1 < i < n] has modal depth at most k, and thus 
the proposition p does not occur in it. We reorder the existential prefix of the 


formula and, by distributing 3*+!p, conclude that y is equivalent. to: 


A, qi,- -30n : OC" [>k Xi k qi: 1 <i < n] As pO ALG 6 Ose): 
Lastly, we eliminate 3**+1p, obtaining the aforementioned ML(§,) formula 7). 
Using the second equivalence in (+), we rewrite S**1 pO" N; (qi  O>x, Xi) into 
RAND Nia (Gi & O>m,Xi)- Since {X1,---, Xn} is a set of formulae form GML that 
is disjoint over (P \ {p}) U {p}, by applying Step (II) one computes a formula 
w’ in GML equivalent to I'P A; (qi = O>«,Xi) and such that msf(1, Y’) is a 
disjoint set over P \ {p}. Then, the (output) formula w is defined as follows: 


def 


S FEP, qi,- -qn ry Ose, Xi k qi : 1<i<n]^ Kap! 


Down to GML, inductively. The manipulation we just described yield the cru- 
cial inductive argument that allows us to translate any well-quantified prenex 
formula of ML(3%,) into a formula of GML. Inductively on k, consider a well- 
quantified formula y = Qipi ... QnPny’ where each Q; € {5*,V*}, the for- 
mula y’ is in GML and msf(k,y) is a disjoint set over {pi,...,pn}. If k = 1, 
we repeatedly apply Step (II) to translate y into a GML formula. If k > 2, 
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starting from p, down to pı, we apply Step (III) to translate y into a well- 

quantified prenex formula y from ML(3%7"). Afterwards, we rely on the first 

strategy of Step (I) to make the set msf(k — 1, x) disjoint over bp(x), and in- 

ductively obtain a GML formula w equivalent to y. For a sake of conciseness, let 
def 


lvl, = max(k, | Uieio,4) aP(é, 9)|, maxice gr(i, y)). Fundamentally, the formula 7 
has the same modal depth as y, and for every i € [0, k — 1] it satisfies: 


gr(i, Y) < t(k — 1,25 !le - |msf(k, p)|); msf(é,b) < t(k — 1, 2° !¥le - |msf(k, y))). 


With these bounds at hand, Prop. 1 follows from Steps (I)—(III) and Prop. 2. 
First, consider the case of a well-quantified prenex formula y in ML(A*) of 
modal depth k. Using the first strategy from Step (I), we translate y into 
an equivalent formula 4% such that the set msf(k,~) is disjoint over bp(y) and 
has size exponential in |p|. We apply the inductive argument discussed above, 
and translate 7 into a GML formula x in DisjNF with md(x) < md(y) and 
bd(d, x) < gr(d, x) - |msf(d+1,x)|) < t(k, O(|y|")) for all d € N. By Prop. 2, 
whenever satisfiable, y is satisfied by a pointed forest with at most t(k, O(|y|*)) 
worlds. The case of general p.r.b. formulae of ML(3§,) is similar, but we need 
to appeal to the second strategy of Step (I) to stop the chain of exponential 
blow-ups. For simplicity, let us consider the case of y being a well-quantified 
p.r.b. formula of modal depth at most 2k. The arguments used for this case can 
be adapted for formulae of arbitrary modal depth. First, we look at the formulae 
of msf (k, p), whose modal depth is at most k, and eliminate all local quantifiers 
from each of these formulae, as described above. In doing so, |gsf (k, y~)| witnesses 
a k-exponential blow-up, but the size of msf (k, p) is unchanged. We consider the 
quantification prefix of y, and eliminate all its quantifiers over P to produce an 
equivalent formula from GML. The first step is to make the set msf (k, p) a disjoint 
set over P. Because of the k-exponential blow-up on gsf (k, p), the first strategy 
of Step (I) is of no use. We appeal to the second one, which modifies msf (k, y) 
into a disjoint set of size only doubly-exponential in the size of the original for- 
mula y. By relying on the inductive reasoning discussed above, we produce the 
equivalent GML formula in DisjNF. Because of the doubly-exponential bound 
on msf(k, p), this elimination is exponentially worse than the one done for for- 
mulae of modal depth at most k. Then, appealing to Prop. 2 yields Prop. 1. 


5 Further connections 


In introducing ML(4%,) and ML(3%,), one of our goals is to provide a common 
framework to relate several modal logics featuring propositional quantification 
in disguise. Apart from the relations stated in Sec. 2, in an extended version of 
this work we aim at establishing connections between ML({,) and propositional 
team logics [21], propositional logic of dependence [32] and ambient logics [13]; 
as well as connections bwteen ML(S?3) and sabotage logics [8,4]. 
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Abstract. Temporal stream logic (TSL) extends LTL with updates and 
predicates over arbitrary function terms. This allows for specifying data- 
intensive systems for which LTL is not expressive enough. In the se- 
mantics of TSL, functions and predicates are left uninterpreted. In this 
paper, we extend TSL with first-order theories, enabling us to specify 
systems using interpreted functions and predicates such as incrementa- 
tion or equality. We investigate the satisfiability problem of TSL mod- 
ulo the standard underlying theory of uninterpreted functions as well as 
with respect to Presburger arithmetic and the theory of equality: For all 
three theories, TSL satisfiability is neither semi-decidable nor co-semi- 
decidable. Nevertheless, we identify three fragments of TSL for which the 
satisfiability problem is (semi-)decidable in the theory of uninterpreted 
functions. Despite the undecidability, we present an algorithm — which 
is not guaranteed to terminate — for checking the satisfiability of a TSL 
formula in the theory of uninterpreted functions and evaluate it: It scales 
well and is able to validate assumptions in a real-world system design. 


1 Introduction 


Linear-time temporal logic (LTL) [32] is one of the standard specification lan- 
guages to describe properties of reactive systems. The success of LTL is largely 
due to its ability to abstract from the detailed data manipulations and to fo- 
cus on the change of control over time. In data-intensive applications, such as 
smartphone apps, LTL is, however, often not expressive enough to capture the 
relevant properties. When specifying a music player app, for instance, we would 
like to state that if the user leaves the app, the track that is currently playing 
will be stored and will resume playing once the user returns to the app. 

To specify data-intensive systems, extensions of LTL such as Constraint LTL 
(CLTL) [6] and, more recently, Temporal Stream Logic (TSL) [15] have been 
proposed. In CLTL, the atomic propositions of LTL are replaced with atomic 
constraints over a concrete domain D and an interpretation for relations. Relat- 
ing variables with the equality relation, such as x = y, denoting that the value 
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of x is equal to the value of y, allows for specifying assignment-like statements. In 
this paper, however, we focus on the logic TSL to specify data-intensive systems. 

TSL extends LTL with updates and predicates over arbitrary function terms. 
An update [a = f(y)] denotes that the result of applying function f to variable y 
is assigned to variable x. For the music player app, for instance, the update 
[paused =x track(current)] specifies that the track that is currently playing, 
obtained by applying function track to variable current, is stored in variable 
paused. Updates are the main characteristic of TSL that differentiates it from 
other first-order extensions of LTL: They allow for specifying the evolution of 
variables over time. Thus, programs can be represented in TSL and therefore, 
for instance, the model checking problem can be encoded. 


In the semantics of TSL, functions and predicates are left uninterpreted, 
i.e., a system satisfies a TSL formula if the formula evaluates to true for all 
possible interpretations of the function and predicate symbols. This semantics 
has proven especially useful in the synthesis of reactive programs [15,17], where 
the synthesis algorithm builds a control structure, while the implementation 
of the functions and predicates is either done manually or provided by some 
library. One exemplary success story of TSL-based specification and synthesis of 
a reactive system is the arcade game Syntroids [17] realized on an FPGA. 

In this paper, we define and investigate the satisfiability problem of TSL 
modulo the standard underlying theory of uninterpreted functions and with re- 
spect to other first-order theories such as the theory of equality and Presburger 
arithmetic. Intuitively, a TSL formula y is satisfiable in a theory T if there is 
an execution satisfying y that matches the function applications and predicate 
constraints of an interpretation in T. TSL validity in T is dual: A TSL formula y 
is valid in a theory T if, and only if, =y is unsatisfiable in T. 

For LTL, satisfiability is decidable [37] and efficient algorithms for check- 
ing the satisfiability of an LTL formula have been implemented in tools like 
Aalta [25]. Satisfiability checking has numerous applications in the specification 
and analysis of reactive systems, such as identifying inconsistent system require- 
ments during the design process, comparing different formalizations of the same 
requirements, and various types of vacuity checking. TSL satisfiability checking 
extends these applications to data-intensive systems. 

We present an algorithm for checking the satisfiability of a TSL formula in the 
theory of uninterpreted functions. It is based on Biichi stream automata (BSAs), 
a new kind of w-automata that we introduce in this paper. BSAs can handle the 
predicates and updates occurring in TSL formulas. Similar to the relationship 
between LTL formulas and nondeterministic Biichi automata, BSAs are an au- 
tomaton representation of TSL formulas, i.e., there exists an equivalent BSA 
for every TSL formula. Given a TSL formula y, our algorithm constructs an 
equivalent BSA B, and then tries to prove satisfiability and unsatisfiability in 
parallel: For proving satisfiability, it searches for a lasso that ensures consistency 
of the function terms in an accepting run of By. If such a lasso is found, ¢ is 
satisfiable. For proving unsatisfiability, the algorithm discards inconsistent runs 
of By. If no accepting run is left, p is unsatisfiable. 
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The algorithm does not always terminate. In fact, we show that TSL satisfi- 
ability is neither semi-decidable nor co-semi-decidable in the theory of uninter- 
preted functions. Thus, no complete algorithm exists. The undecidability result 
extends to the theory of equality and Presburger arithmetic. There exist, how- 
ever, (semi-)decidable fragments of TSL in the theory of uninterpreted functions: 
For satisfiable formulas with a single variable as well as satisfiable reachability 
formulas, our algorithm is guaranteed to terminate. For slightly more restricted 
reachability formulas, satisfiability is decidable. 

We have implemented the algorithm and evaluated it, clearly illustrating its 
applicability: It terminates within one second on many randomly generated for- 
mulas and scales particularly well for satisfiable formulas. Moreover, it is able to 
check realistic benchmarks for consistency and to (in-)validate their assumptions. 
Most notably, we successfully validate the assumptions of a Syntroids module. 

A preliminary version of this paper has been published on arXiv [13]. This al- 
ready lead to further research on TSL modulo theories: Maderbacher and Bloem 
show that the synthesis problem for TSL modulo theories is undecidable in 
general and present a synthesis procedure for TSL modulo theories based on a 
counter-example guided LTL synthesis loop [27]. 

Further details and proofs are available in the full version of this paper [14]. 


2 Preliminaries 


We assume time to be discrete. A value can be of arbitrary type and we denote 
the set of all values by V. The Boolean values are denoted by B C V. Given n 
values, an n-ary function f : V” —> V computes a new value. An n-ary predicate 
p: V” — B determines whether a property over n values is satisfied. The sets of 
all functions and predicates are denoted by F and P C F, respectively. Constants 
are both functions of arity zero and values. Starting from 0, we denote the i-th 
position of an infinite word o by o; and the i-th component of a tuple t by 7;(¢). 

To argue about functions and predicates, we use a term based notation. Func- 
tion terms Tf are constructed from variables and functions, recursively applied 
to a set of function terms. Predicate terms Tp are constructed by applying a 
predicate to function terms. The sets of all function and predicate terms are 
denoted by 7p and Tp C Tr, respectively. Given sets Xr, Xp of function and 
predicate symbols with Xp C Xp, a set V of variables, and a set V of values, let 
():VULp > VUF be an assignment function assigning a concrete function 
(predicate) to each function (predicate) symbol and an initial value to each vari- 
able. We require (v) € V, (f) € F, and (p) € P forv € V, f € Lp, p € Xp. The 
evaluation x/} : Tr —> V UB of function terms is defined by xų.;(v) := (v) for 
v E€ V, and by x.) (f (To, ---,Tn)) = (FXX (70), ---: X4) (Tn)) for f € Lip UL. 

Functions and predicates are not tied to a specific interpretation. To restrict 
the possible interpretations, we utilize first-order theories. A first-order theory T 
is a tuple (XF, Xp, A), where Xp and Xp are sets of function and predicate sym- 
bols, respectively, and A is a set of closed first-order logic formulas over Xp, Xp, 
and a set of variables V. For an introduction to first-order logic, we refer to the 
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full version [14]. The elements of A are called the axioms of T and Xp U Xp is 
called the signature of T. A model M for a theory T = (Xp, Xp, A) is a tuple 
(V, Y), where V is a set of values and (-) is an assignment function as introduced 
above. Furthermore, (V, (-)) is required to entail y4 for each axiom y4 € A. The 
set of all models of a theory T is denoted by Models(T). 

In the remainder of this paper, we focus on the following three theories: The 
theory of uninterpreted functions Ty is a theory without any axioms, i.e., every 
symbol is uninterpreted. It allows for arbitrarily many function and predicate 
symbols. The theory of equality Tg additionally includes equality, i.e., its ax- 
ioms enforce the equality symbol = to indeed represent equality. The theory of 
Presburger arithmetic Ty implements the idea of numbers. Its axioms define the 
constants 0 and 1 as well as equality and addition. 


3 Temporal Stream Logic modulo Theories 


In this section, we introduce Temporal Stream Logic modulo theories, an exten- 
sion of the recently introduced logic Temporal Stream Logic (TSL) [15] with 
first-order theories. First, we recap the main idea of TSL as well as its syntax 
and semantics. Afterwards, we extend TSL with first-order theories and define 
the basic notions of satisfiability and validity for TSL formulas modulo theories. 


3.1 Temporal Stream Logic 


Temporal Stream Logic (TSL) [15] is a temporal logic that separates tempo- 
ral control and pure data. Data is represented as infinite streams of arbitrary 
type. TSL allows for checks and manipulations of streams on an abstract level: 
It focuses on the control flow and abstracts away concrete implementation de- 
tails. The temporal structure of the data is expressed by temporal operators as 
in LTL [32]. TSL is especially designed for reactive synthesis and thus distin- 
guishes between uncontrollable input streams and controllable output streams, 
so-called cells. In this paper, this distinction is not necessary since we consider 
TSL independent of its usage in synthesis. Thus, we use the notions of streams 
and cells as synonyms. The finite set of all cells is denoted by C. 

In TSL, we use functions f € F to modify cells and predicates p € P to 
perform checks on cells. The cells c € C serve as variables for function terms. 
The sets of all function and predicate terms over XF, Xp, and C are denoted by 
Tr and Tp. TSL formulas are built according to the following grammar: 


p,p := true | ~y | pryl Op | pU |m | [oe r] 


where c € C, Tp € Tp, and Tf € Tr. An update |c = Tf] denotes that the value 
of the function term ty is assigned to cell c. The value of rp may depend on 
the value of the cells occurring in ts. The temporal operators Oy and pl w are 
similar to the ones in LTL. We define Oy = trueU y and Oy = ~~o. 

Since functions and predicates are represented symbolically, they are not tied 
to a specific implementation. To assign an interpretation to them, we use an 
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assignment function (-): CU Xp —> VUF, where V is a set of values. We require 
(c) € V, (f) € F and (p) € P for c € C, f € Xp, and p € Xp Note that (-) also 
assigns an initial value to each cell. Terms can be compared syntactically with 
the equivalence relation =. The set of all assignments of cells c € C to function 
terms Tf € Tr is denoted by C. A computation ç € C” is an infinite sequence 
of assignments of cells to function terms, capturing the behavior of cells over 
time. The satisfaction of a TSL formula y with respect to ¢, a set of values V, 
an assignment function (-), and a time step t is defined by:! 


S, t Rye) P <2 6,t Fy,(-) 7) 

Steve P Aw > Ot Ey, PAS, t Fy, w 

S, t Ev) OY S s, t+ 1 Ey e 

S, t Ev} PUY > W D ttt <t. St Eva p A St Eve Y 
ot Ev [e <7] > glc) =T 

S, t Ev) PITO,- - -3 Tm) > X05 (NCS, t, P(To, - - -, Tm), 


where ņ : C” x N x Tr > Tr is a symbolic evaluation function defined by 
c ift=0 
S,t,c) = : 
nl ) ™ —1,¢-1(c)) ift>0 
n(s, t, f (70, oa :Tm)) = f(n(s,t, To), rae 1s, t, Tm)) 


We call (s, V, (-)) an execution. The satisfaction of a predicate depends on 
the current and the past steps in the computation. For updates, the satisfaction 
depends solely on the current step. While updates are only checked syntactically, 
the satisfaction of predicates depends on the given assignment (-). An execution 
(S, V, (-)) satisfies a TSL formula y, denoted ¢ Fy.) p, if ¢,0 Fy,.) p holds. 


Example 1. Suppose that we have a single cell x, i.e., C = {x}. Consider the 
computation ç = ({Ac.f(x)})”, i.e., f(x) is assigned to cell x in every time step. 
Let V = N be the set of values and let (-) be an assignment function such that the 
initial value of x is 1, function f corresponds to incrementation, and predicate p 
determines whether its argument is even (true) or odd (false). Consider the TSL 
formula y := [x = f(x)] A ap(x) A Op(x). By the semantics of TSL, we have 
5.0 Fv.) if, and only if, (olx) = F(x) A (>(p)((20))) A ((p)(()((2e)))) holds. 
The first conjunct clearly holds by construction of ç. Since 1 is odd and 1+1 = 2 
is even, the other two conjuncts hold as well for the chosen assignment function. 
Hence, (s, V, (-)) satisfies y for ¢ = ({Ac. f(x)})”, V =N and (.). 


A computation ç is called finitary with respect to y, denoted fin, (s), if for 
all cells c € C and for all points in time t, either (c) = c holds, or there is 
an update |c = T] in y such that &(c) = 7, i.e., a finitary computation only 
contains updates occurring in y and self-updates. For ç and y from Example 1, 
for instance, ¢ is finitary with respect to y. 


‘Note that we use a slightly different, but equivalent, definition than [15]: Instead 
of evaluating the function and predicate symbols on the fly, we construct the whole 
term first and then evaluate it recursively using the evaluation function x). 
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3.2 Extending TSL with Theories 


In this paper, we extend TSL with first-order theories. That is, we restrict the 
possible interpretations of predicate and function symbols to a theory. Hence, 
we define the notions of satisfiability and validity of a TSL formula modulo a 
theory T. Intuitively, a TSL formula ¢ is satisfiable in a theory T if there exists 
an execution satisfying y whose domain and assignment function represent a 
model in T, i.e., that entail all axioms of T. Formally: 


Definition 1 (TSL Satisfiability). Let T = (XF, Xp, A) be a theory and let p 
be a TSL formula over Xr, Xp, and C. We call y satisfiable in T if, and only if, 
there exists an execution (s, V, (-}), such thats Fy.) p and (VY, (-)) € Models(T) 
hold. If additionally fin,(s) holds, then » is called finitary satisfiable in T. 


Intuitively, a formula y is valid in a theory T, if for all executions and all 
matching models of the theory the formula is satisfied. Formally: 


Definition 2 (TSL Validity). Let T = (Xr, Xp, A) be a theory and let p be 
a TSL formula over ip, Xp, and C. The formula ọ is called valid in T if, and 
only if, for all executions (s, V, (-)) with (V, (-)) € Models(T), we haves Fy.) 9. 
If s Fv.) p holds for all executions (s, V, (-)) with both (V, (-)) € Models(T) and 
fin,(s), then y is called finitary valid in T. 


It follows directly from their definitions that (finitary) TSL satisfiability and 
(finitary) TSL validity are dual. Thus, we focus on TSL satisfiability in the 
remainder of this paper as the results can easily be extended to TSL validity. 


Theorem 1 (Duality of TSL Satisfiability and Validity). Lety be a TSL 
formula over Up, Xp, and C and let T = (Xp, Xp, A) be a theory. Then, p is 
(finitary) satisfiable in T if, and only if, ~p is not (finitary) valid in T. 


4 TSL modulo Ty Satisfiability Checking 


In this section, we investigate the satisfiability of TSL modulo the theory of 
uninterpreted functions Ty. Since Ty has no axioms, there are no restrictions 
on how a model for Ty evaluates the function and predicate symbols. The only 
condition is that the evaluated symbols are indeed functions. Therefore, we have 
(s, V, (-)) € Models(Ty) for all executions. Thus, finding some execution satisfy- 
ing a TSL formula ¢ is sufficient for showing that ọ is satisfied in Ty: 


Lemma 1. Let y be a TSL formula over ip, Xp, and C. If there exists an 
execution (s,V,(-)) with ¢ Fy.) p, then y is satisfiable in Ty. If additionally 
fin, (S) holds, then y is finitary satisfiable in Ty. 


In the following, we introduce an (incomplete) algorithm for checking the 
satisfiability of a TSL formula y in the theory of uninterpreted functions. By 
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Lemma 1, it suffices to find an execution satisfying y to prove its satisfiabil- 
ity in Ty. To search for such an execution, we introduce Btichi stream au- 
tomata (BSAs), a new kind of w-automata that reads executions and allows 
for dealing with predicates and updates. BSAs are, similar to the connection 
between LTL and Biichi automata, an automaton representation for TSL. Then, 
we present the algorithm for checking satisfiability in Ty based on BSAs. 


4.1 Biichi Stream Automata 


Intuitively, a Btichi stream automaton (BSA) is an w-automaton with Biichi 
acceptance condition that reads infinite executions instead of infinite words. 
Furthermore, it is able to deal with predicates and updates occurring in TSL 
formulas. To do so, the transitions of a BSA are labeled with guards and update 
terms. Intuitively, the former define which predicates need to hold when taking 
the transition. The latter define how the corresponding cells are updated when 
taking the transition. Formally, a BSA is defined as follows: 


Definition 3 (Biichi Stream Automaton). Let Xp, Xp be sets of function 
and predicate symbols, respectively, and let C be a finite set of cells. A Biichi 
Stream automaton B over Vp, Xp, and C is a tuple (Q, Qo, F,e,G,U, 6), where 
Q is a finite set of states, Qo C Q is a set of initial states, F C Q is a set of 
accepting states, è is a fresh term symbol such that e Z CULM pUS p, GC Tp is 
a finite set of predicate terms over Up, Xp, and C, called guards, U C Tr U {e} 
is a finite set of function terms over Xp, Xp, and C, called update terms, and 
Ô C Q x (G > B) x (CHU) x Q is a finite transition relation. 


Note that by requiring the update terms U to be a finite set of function 
terms, not all executions can be read by a BSA: Non-finitary executions contain 
updates with function terms that do not occur in the given TSL formula. Thus, 
they may require infinitely many update terms. Therefore, we introduce the fresh 
term symbol e ¢ CU Xr U Xp. If a transition in a BSA assigns e to a cell c € C, 
then any function term can be assigned to c. This allows for reading non-finitary 
executions while maintaining finite representability of BSAs. 


Example 2. Consider the three BSAs depicted in Figure 1. If B, is in state gg and 
p(x) holds, then cell x is updated with f(x) and Bı chooses nondeterministically 
to either stay in gg or to move to the accepting state qı. In contrast, Bz is 
deterministic. Yet, it is incomplete: In both qo and qi, no guard is satisfied if 
ap(x) holds. Hence, By gets stuck, preventing satisfaction of the Biichi winning 
condition for any execution containing —p(x). The BSA B3 makes use of the 
fresh term symbol e: If p(x) holds, any function term can be assigned to x. 


Given sets Xp, Xp, C and a BSA B = (Q, Qo, F,e,G,U, ô) over Xr, Xp, C, 
an infinite word c € (Q x (G —> B) x (C > U) x Q)” is called run of B if, and 
only if, the first state of c is an initial state, i.e., 71(co) E Qo, and both c € 6 
and m4(cz) = 71(cz41) hold for all points in time t € No. Intuitively, a run c is an 
infinite sequence of tuples (q, g, u,q') encoding transitions in the BSA: q is the 
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Fig. 1: Three exemplary Büchi stream automata. Accepting states are marked 
with double circles. Guards are highlighted in red, update terms in blue. 


source state, q’ is the target state, g determines which predicate terms hold, and 
u defines which updates are performed when taking the transition. A run c is 
called accepting if it contains infinitely many accepting states, i.e., for all points 
in time t € No, there exists a t’ > t such that 71(cq) € F holds. 


Example 3. Let gi(p(x)) = true, go(p(x)) = false, and u(x) = f(x). The infi- 


nite word c = (qo, 91, U, 91) (1, 92, U, qo) (Go, 91, Us 1) (G1, 92, U; Go)... is a run of 
BSA 6, from Figure la. It is accepting as it visits qı infinitely often. 


The characteristics of a BSA are its predicates and updates. Thus, it is not 
sufficient to solely consider accepting runs since the constraints produced by 
the predicates might be inconsistent. Therefore, we define the execution of a 
BSA that only permits consistent accepting runs. Intuitively, given a run c of a 
BSA B, an execution of c consists of a computation ç € C®, a domain VY, and an 
assignment (-) such that the updates in ¢ match the updates in c and such that 
the recursive evaluation of a predicate term using (-) matches its truth value 
in ç. To capture the constraints accumulated in ç as well as their truth values, 
we define the constraint trace o : (Tp x B)” of s and c: Formally, o for ç and c is 
defined by o; := Ø if t = 0, and or := o:-1U{(n(s, t—-1, Tp), 72(Ce-1)(Tp)) | Tp E G} 
if t > 0. As an example, reconsider the computation ç from Example 1 and the 
run c of BSA B, from Example 3. The constraint trace of ç and c is given 
by o = O{ (p(x), true) H (p(x), true), (p(f(x)), false)}.... A constraint trace o is 
called consistent if there is no predicate term 7, € Tp such that both (Tp, true) 
and (Tp, false) occur in (J en, @t- @ from the example above is consistent. Using 
constraint traces, we now formally define the execution of a BSA: 


Definition 4 (Execution of a BSA). Let Xp and Xp be sets of function 
and predicate symbols, respectively, and let C be a finite set of cells. Let B be a 
BSA over Sip, Xp, and C and let c be a run of B. Let s € C® be an infinite 
computation and let (-): CU Lip > VUF be an assignment function. Let o be 
the constraint trace of ç and c. We call (s, V, (-)) execution for c if (1) for all 
points in time t € No and all cells c € C, we have either 13(cz)(c) = &(c) or 
T3(ct)(c) = @, and (2) for all (Tp, b) © Uren, 0t; we have xi) (Tp) = b. 
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Note that the second requirement can only be fulfilled if the constraint trace 
is consistent. Consider the computation ç and the assignment function (-) from 
Example 1, the run c of B; from Example 3, and the constraint trace o of ç and 
c given above. Then, (¢,N, (-)) is an execution for c: Since in both ç and c, cell 
x is always updated with f(x), the updates in ç and c coincide at every point in 
time. Furthermore, by construction of (-), the constraints of ọ match the truth 
values obtained by recursively evaluating (-) for all predicate terms. 

We define two languages of a BSA B: The symbolic language £(B) is the set 
of all executions that have a respective accepting run, i.e., (s, V, (-)) € L(B) if, 
and only if, there exists an accepting run c such that (s, V, (-)) is an execution 
for c. The language Lr(B) in a theory T is the set of all executions whose domain 
and assignment function additionally form a model in T, i.e., (s, V, (-)) € Lr(B) 
if, and only if, (s, V, (-)) € £(B) and (V, (-)) € Models(T). 

We call a BSA B = (Q, Qo, F,e,G,U, 6) finitary if e Z U holds. Hence, every 
run c of a finitary BSA, has a unique computation ç and thus a unique constraint 
trace o. Therefore, for a finite prefix cp of c, we can compute its execution effect 
effect (Cp) := (Ac. 7(¢; |ep|, €), Qjc,|) from cp itself, i.e., without considering ¢ and @ 
explicitly. Intuitively, c,’s execution effect consists of the function terms assigned 
to the cells during the execution of cp as well as the constraints and their truth 
values on the transitions taken with cp in the BSA. The BSAs B, and $82, depicted 
in Figure 1, are finitary while 63 is not. Since By is finitary, consider the prefix 
Cp = (40,91; U, 1) (41; 92, U, Go) of the run c of Bı presented in Example 3. Its exe- 
cution effect is given by effect(c,) = (Ac. f(f(x)), {(p(x), true), (p(f (x)), false) }). 

An LTL formula ọ can be translated into a nondeterministic Biichi automa- 
ton (NBA) A, with L(y) = L(A) [38]. An analogous relation exists between 
TSL formulas and BSAs: A TSL formula y can be translated into an equiva- 
lent BSA Bọ: First, we approximate y by an LTL formula yzrz, similarly to 
the approximation described in [15]. The main idea of the approximation is to 
represent every function and predicate term as well as every update occurring 
in LTL by an atomic proposition and to add conjuncts that ensure that exactly 
one update is performed for every cell in every time step. Second, we build an 
equivalent NBA Ayır, from yyrz. Third, we construct a BSA B, from Ag,,, 
by, intuitively, translating the atomic propositions back into predicate terms and 
updates and by dividing them into guards and update terms, while maintaining 
the structure of the NBA Ayır,- The full construction of an equivalent BSA B, 
from a TSL formula ¢ is given in the full version [14]. 


Theorem 2 (TSL to BSA Translation). Given a TSL formula y, there 
exists an equivalent (finitary) Büchi stream automaton B such that for all theo- 
ries T, Lr(B) #0 holds if, and only if, p is (finitary) satisfiable in T. 


For instance, the TSL formula y1 := Olx = f(x)] ADO(p(x) A O7p(x)) is 
finitary satisfiable in a theory T if, and only if, £7(B,) 4 Ø holds for the BSA By 
from Figure la. Analogously, ye := O([x < f(x)] A p(x)) AO -7p(f(x)), and 
p3 := Op(x) correspond to the BSAs Bz and B3 from Figure 1b and Figure 1c. 
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Algorithm 1: Algorithm for Checking TSL modulo Ty Satisfiability 
Input: y: TSL Formula 
Output: SAT, UNSAT 

1 B := Finitary BSA for ¢ as defined in Theorem 2; 

2 R := Set of runs of B; 

3 Function SatSearch 


4 for pref .rec® € {c | c € RA accepting(c)} do 

5 (vp, -):=effect (pref); 

6 (vr, P):=effect (pref .rec); 

7 if SMT ( A k Ty ) A A vlc) = no) = SAT then 
@pvjeP | tp ifv = false cEC 

8 [_ return SAT 


9 Function UnsatSearch 
10 for n € No do 


11 for c € {c | c E finiteSubwords(R) A |c| = n} do 

12 (, P):=effect(c); 

13 if At,. (tp, true), (tp, false) € P then 

14 R:= R\ {ce | Im E€ No. VO < i <n Ci¢m = ci} 
15 if {c | c E€ RA accepting(c)} = Ø then 

16 return UNSAT 


17 return parallel(SatSearch, UnsatSearch) 


4.2 An Algorithm for TSL modulo Ty Satisfiability Checking 


Utilizing BSAs, we present an algorithm for checking the satisfiability of a TSL 
formula in the theory of uninterpreted functions Ty in the following. First, recall 
that finitary computations only perform self-updates or updates that occur in 
the given TSL formula. Since there are only finitely many cells, the behavior 
of finitary computations is thus restricted to a finite set of possibilities in each 
step. Hence, reasoning with finitary computations is easier than reasoning with 
non-finitary ones. In the algorithm, we make use of the fact that satisfiability 
can be reduced to finitary satisfiability in the theory of uninterpreted functions, 
enabling us to focus on finitary computations. The main idea of the reduction is 
to introduce a new cell for each cell of a given TSL formula. The new cells then 
capture the values that are constructed by the non-finitary parts of a computa- 
tion. The proof is given in the full version [14]. 


Lemma 2. Let y be a TSL formula. Then, there is a TSL formula pin such 
that p is satisfiable in Ty if, and only if, p \ vpn is finitary satisfiable in Ty. 


Algorithm 1 shows the algorithm for checking TSL modulo Ty satisfiability. 
It directly works on Biichi stream automata. First, an equivalent BSA B is 
generated for the input formula y. Then, in parallel, SatSearch tries to prove 
that y is satisfiable in Ty while UnsatSearch tries to prove unsatisfiability of ọ. 
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SatSearch enumerates all lasso-shaped accepting runs pref.rec” of B, i.e., 
accepting runs consisting of a finite prefix pref and a finite recurring part rec that 
is repeated infinitely often. Both pref and rec need to end in the same state of B. 
Then, the execution effects of pref and pref.rec are computed. SatSearch checks 
if it is possible to satisfy all predicate constraints induced by pref.rec under the 
condition that, for each cell, pref and pref.rec construct equal function terms. 
For this, it utilizes an SMT solver to check the satisfiability of a quantifier-free 
first-order logic formula, encoding the consistency requirement, in the theory of 
equality. If the check succeeds, adding rec to pref des not create an inconsistency 
and hence repeating rec infinitely often is consistent. Therefore, there exists an 
execution for pref.rec’ and thus ¢ is finitary satisfiable in Ty by Lemma 1. 

UnsatSearch computes the execution effect of finite subwords of runs of 6 and 
checks whether they are consistent. If a subword is inconsistent, then every run 
that contains this subword is inconsistent. Hence, there do not exist executions 
for these runs and therefore they are removed from the set of candidate runs. If 
there is no accepting candidate run left, then B has an empty symbolic language 
and thus, by Theorem 2, ọ is unsatisfiable in Ty. 


Example 4. Consider the finitary BSAs B, and Bə from Figures la and 1b as 
well as their respective TSL formulas yı := Olx = f(x)] AOD O(p(x) AO -7p(x)) 
and p2 := (O([x = f(x)JAp(x)) AO ap(f(x)). If we execute Algorithm 1 on y1, 
SatSearch considers the accepting lasso qo > qı — qo in Bı at some point. 
Then, pref = £ and rec = (qo, g1, u, q1)(q1, 92, U, qo). Note that pref.rec is the 
finite prefix cp of a run of Bı from Example 3. Thus, effect(pref.rec) is given by 
(Ac. f (f(x)), {(p(x), true), (p(f(x)), false)}). Since effect(pref) = (Ac.c, Ø) holds, 
SatSearch generates the query p(x) A ap(f(x)) Ax = f(f(x)) which is satisfiable 
in Tg. Hence, we can repeat the lasso gg + qi — qo infinitely often without 
getting any inconsistent constraints and thus g; is satisfiable. 

If we execute Algorithm 1 on p2, UnsatSearch checks at some point wether 
in Bz the transition sequence gg — qı followed by the upper self-loop is con- 
sistent. This is not the case as it requires p(f(x)) to be true (first transition) 
and false (second transition): We have 0, = {(p(x), true), (p(f(x)), false)} and 
02 = a1 U {(p(f(x)), true), (o(f(f(x))), true)} by definition of the constraint 
trace. UnsatSearch also checks the transition sequence gg — qı followed by the 
lower self-loop which is also inconsistent. Hence, there is no consistent transition 
after qo — qı and thus there is no valid accepting run. Hence, p2 is unsatisfiable. 


Note that the presentation of Algorithm 1 omits implementation details such 
as the enumeration of accepting loops and the implementation of the infinite 
set R. A more detailed description addressing these issues is given in [14]. 

Algorithm 1 is correct. Intuitively, it terminates with SAT if the constraint 
trace o of the unique computation ¢ of pref.rec” is consistent. Hence, o defines 
an assignment (-) such that (s, V, (-)) is an execution of pref.rec” , implying satis- 
fiability of y in Ty. If the algorithm terminates with UNSAT, then all accepting 
runs of the BSA are inconsistent and thus no finitary execution satisfying y 
exists. For the proof, we refer the reader to the full version [14]. 
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Theorem 3 (Correctness of Algorithm 1). Let p be a TSL formula. If 
Algorithm 1 terminates on p with SAT, then there exists an execution (s, V, (-)) 
such that both ¢ Fy.) p and finy(s) hold. If Algorithm 1 terminates with UN- 
SAT, then for all executions (s, V,(-)) with fing(ctr), ¢ Fy.) p holds. 


5 Undecidability of TSL modulo Ty Satisfiability 


The algorithm for TSL satisfiability checking in Ty presented in the previous sec- 
tion does not necessarily terminate. In this section, we show that no complete al- 
gorithm exists: The satisfiability of a TSL formula in the theory of uninterpreted 
functions Ty (TSL-Ty-SAT) is neither semi-decidable nor co-semi-decidable: 


Theorem 4 (Undecidability of TSL-Ty-SAT). The satisfiability (validity) 
problem of TSL in Ty is neither semi-decidable nor co-semi-decidable. 


The main intuition behind the undecidability result is that we can encode 
numbers with TSL in the theory of uninterpreted functions. That is, we are able 
to encode incrementation, resetting some variable to zero, and equality. We only 
give the encoding here, for the proof of its correctness we refer to [14]. 


Lemma 3. Let f be a unary function, let = be a binary predicate, and let z be 
a constant. Let f*(z) correspond to applying f x-times to z. There exists a TSL 
formula Ynum such that every execution entailing Pnum requires from its models 


that for all a,b € No, a = b holds if, and only if, f(z) = f°(z) holds. 


Proof (Sketch). We construct Ynum = Y1 A y2 as follows: The first conjunct is 
defined by yı := Je = z] AOD (le = f(e)] Ae =e). Let 


eq = (æ =b) > (fe = AAP = FOLA (b= F) A>(F(0) = 8) 
Preg == (2 E b) > (le = F) A lb = b] Ane = FO) A>(F(0) £ 2)). 


Then, y2 is defined by y2 := |e = z] A [b = 2] AOD (Yeq A Pneq). 


pauri 


Intuitively, f corresponds to incrementation, z to resetting a variable to zero, 
and = to equality: yı ensures that f"(z) = f"(z) holds for all n € No. In 
contrast, p2 ensures that if a 4 b holds, then 7(f*(z) = f°(z)): Starting with 
x = b= z, pı ensures that x = b holds initially. Then, Peq resets x to z and 
“increments” b, while ensuring that 7(f*(z) = f*++(z)) holds, where b = f*(z). 
Then, (x = b) holds and thus Yneq “increments” x until it reaches b = f**1(z), 
while ensuring that a(f**+1(z) = f*(z)) holds for all £ < k +1. 

Using this encoding in TSL modulo Ty, we can construct a TSL formula yg 
for every GOTO-program G such that yg A Ynum is satisfiable in Ty if, and only 
if, G terminates on every input. Intuitively, yg “simulates” G on different inputs 
by starting with input zero and incrementing the input if the halting location was 
reached. The temporal operators of TSL allow for requiring that G terminates 
infinitely often. The construction of yg is given in the full version [14]. Since 
the universal halting problem for GOTO programs is neither semi-decidable nor 
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co-semi-decidable, the same undecidability result follows for the satisfiability of 
a TSL formula modulo Ty, proving Theorem 4. 

Since the theory of Presburger arithmetic Ty allows for incrementation, re- 
setting a variable to zero, and equality, we can reuse the TSL formula yg from 
above to reduce the universal halting problem for GOTO programs to TSL satis- 
fiability modulo Ty (TSL-Ty-SAT), proving undecidability of TSL-Ty-SAT. Note 
that this result holds for other theories that can express incrementation, reset, 
and equality, for instance Peano Arithmetic, as well. 


Theorem 5 (Undecidability of TSL-Ty-SAT). The satisfiability (validity) 
problem of TSL in Ty is neither semi-decidable nor co-semi-decidable. 


Furthermore, equality allows for encoding incrementation and resetting a 
variable to zero. Hence, similarly to Ty, there exists a TSL formula Yenc that, if 
entailed, enforces a binary function and a constant to behave as incrementation 
and a reset, respectively. The construction of Yenc is given in the full version [14]. 
Thus, the TSL formula yg constructed as above for a GOTO program G ensures 
that wg ^ Penc is satisfiable in the theory of equality Tp if, and only if, G 
terminates on every input. Hence, undecidability of TSL-Tg-SAT follows: 


Theorem 6 (Undecidability of TSL-Tz-SAT). The satisfiability (validity) 
problem of TSL in Tr is neither semi-decidable nor co-semi-decidable. 


6 (Semi-)Decidable Fragments 


In Section 5, we showed that TSL satisfiability is undecidable in Ty. In this 
section, however, we identify fragments of TSL on which Algorithm 1 terminates 
for certain inputs. In fact, we present one fragment for which TSL-Ty-SAT is 
decidable and two fragments for which TSL-Ty-SAT is semi-decidable. 

First, we consider the TSL reachability fragment, i.e., the fragment of TSL 
that only permits the next operator and the eventually operator as temporal 
operators. In our applications, this fragment corresponds to finding counterex- 
amples to safety properties. For satisfiable reachability formulas, Algorithm 1 
terminates. The main idea behind the termination is that the BSA of a reacha- 
bility formula has an accepting lasso-shaped run and since ¢ is satisfiable, this 
run is consistent. For the proof, we refer to the full version [14]. 


Lemma 4. Let y be a TSL formula in the reachability fragment. If p is finitary 
satisfiable in Ty, then Algorithm 1 terminates on y. 


Restricting the reachability fragment further, we consider TSL formulas with 
updates, predicates, logical operators, next operators, and at most one top-level 
eventually operator. Such formulas are either completely time-bounded or they 
are of the form y = Oy’, where y’ is time-bounded. In the dual validity problem, 
such formulas correspond to invariants on a fixed time window, a useful property 
for many applications. Algorithm 1 is guaranteed to terminate for satisfiable and 
unsatisfiable formulas of the above form if a suitable BSA is constructed. Such a 
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suitable BSA has a single accepting state q indicating that the time-bounded part 
has been satisfied. Intuitively, a suitable BSA ensures that all runs reaching q are 
accepting and that only finitely many transition sequences lead to q. Then, if y is 
unsatisfiable, Algorithm 1 is able to exclude all transition sequences leading to q 
and thus to terminate. A BSA with infinitely many transition sequences leading 
to q, in contrast, may cause the algorithm to diverge as it may consider infinitely 
many consistent subsequences before finding the inconsistent one yielding the 
exclusion of the sequences leading to q. A suitable BSA exists for every TSL 
formula in the considered fragment. For the proof, including a more detailed 
description of suitable BSAs, we refer to the full version [14]. 


Lemma 5. Let y be a TSL formula with only logical operators, predicates, up- 
dates, next operators, and at most one top-level eventually operator. Algorithm 1 
terminates on if it picks a suitable respective BSA. 


Note that Algorithm 1 is only a formal decider for this fragment if we ensure 
that a suitable BSA is always generated. In practice, we experienced that this 
is usually the case even without posing restrictions on the BSA construction. 
Lastly, we consider a fragment of TSL that does not restrict the temporal struc- 
ture of the formula but the number of used cells. For TSL formulas with a single 
cell, Algorithm 1 always terminates on satisfiable inputs: 


Lemma 6. Let y be a TSL formula such that |C| = 1. If p is finitary satisfiable 
in the theory of uninterpreted functions, then Algorithm 1 terminates on y. 


Intuitively, restricting the TSL formula to use only a single cell prevents 
us from simulating arbitrary computations and thus from reducing from the 
universal halting problem of GOTO programs as in the general undecidability 
proof. The formal proof, given in the full version [14], however, is unrelated to 
the above intuition. Combining the three observations, we obtain the following 
(semi-)decidability results for the satisfiability of fragments of TSL modulo Ty: 


Theorem 7. The satisfiability problem of TSL formulas in Ty is (1) semi- 
decidable for the reachability fragment of TSL, (2) decidable for formulas consist- 
ing of only logical operators, predicates, updates, next operators, and at most one 
top-level eventually operator, and (8) semi-decidable for formulas with one cell. 


7 Evaluation 


We implemented the algorithm for checking TSL modulo Ty satisfiability?. We 
used TSL tools? to handle TSL, spot [11] to transform the approximated LTL for- 
mulas into NBAs, SyFCo [20] for LTL transformations, and z3 [31] to solve SMT 
queries. The implementation follows the extended algorithm described in [14]. 
Since in some cases the default optimizations of spot produce a large overhead in 


"https: //github.com/reactive-systems/tsl-satisfiability-modulo-theories 
https: //github.com/reactive-systems/tsltools 
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Fig. 2: Execution times in milliseconds Fig. 3: Execution times in milliseconds 
of the scalability benchmark series. of the random benchmark series. 


computation time, we first execute it with these and if this does not terminate 
within 20s, we execute it without optimizations. We evaluated the implementa- 
tion on three benchmark classes and a machine with an AMD Ryzen 7 processor, 
using a virtual machine with two logical cores and 6 GB of RAM. 


Scalability Benchmark Series. We test the scalability of the algorithm with pa- 
rameterized decidable benchmarks. The timeout is one minute. Note that spot 
can always perform its optimizations. The satisfiable benchmarks are defined by 
Psat(n) = (Ofk = FI) A (O 7p)) A (Ao P(C’ ())). The parameter n cor- 
responds to the number of updates that have to be performed to find a satis- 
fiable lasso. By Lemma 6, the algorithm always terminates. The TSL formula 
punsat(n) = Olla) + -4f @))))A (Ge = FE) AOCa(x) AC” a(x) defines 
the unsatisfiable benchmarks. The parameter n corresponds to the “distance” 
in time and number of updates of the conflict causing unsatisfiability. The algo- 
rithm always terminates. The results are shown in Figure 2. The algorithm scales 
particularly well for the satisfiable formulas. However, the experiments indicate 
an exponential complexity of the algorithm for the unsatisfiable formulas. 


Random Benchmark Series. We implemented a random TSL formula generator 
that uses spot’s 1tlrand to generate random LTL formulas and then substitutes 
the atomic propositions with random updates and predicates. The generated 
TSL formulas have one to three cells, one to three different updates and one to 
three different predicates. For the LTL formulas generated by 1tlrand we use 
tree sizes from 5 to 95 in steps of five. For each of the tree sizes, we generate 30 
formulas; 570 in total. The execution times are shown in Figure 3. On many for- 
mulas, the algorithm terminates within one second. The implementation returns 
SAT for 513 of the 570 formulas. It times out after 30s on 29 formulas. How- 
ever, the timeouts already occur in the automaton construction, both with and 
without spot’s optimizations. Only 28 formulas are unsatisfiable. For 25 of these 
unsatisfiable formulas, the intermediate LTL approximation formula is already 
unsatisfiable, i.e., only for three formulas there is some conflict due to updates 
and predicate evaluation. 
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Table 1: Execution times in seconds of the application benchmark series. 


Benchmark Result Time Benchmark Result Time 
Chain SAT 7.06 Inductive Ass. UNSAT 0.25 
Filter UNSAT 0.33 One Of Two UNSAT 1.20 
Gamemodechooser Ass. | UNSAT 35.55 One Of Three UNSAT 4.25 
Holding Arbiter SAT 11.75 Injector UNSAT 1.52 
Small Holding Arbiter SAT 36.69 Invariant Holding | UNSAT 2.33 
P. T. Arbiter UNSAT 56.03 Scheduler UNSAT 3.87 
Approx. P. T. Arbiter UNSAT 940.03 


Applications Benchmark Series. These benchmarks correspond to checking con- 
sistency of a specification and validating assumptions of a system. Hence, they 
illustrate how satisfiability results can aid the system design. The results are 
presented in Table 1. We introduce two of the benchmarks in more detail here. 
The other, slightly larger, ones, including different kinds of arbiters, a scheduler, 
and modules of the Syntroids [17] arcade game, are described in [14]. 

The Chain benchmark considers a compound system of two chained modules 
mı and mə that receive an input value, store it, and forward it to the next 
system: y; := O(mem; =~ in;] A O]inizi ~ mem,]) for i € {1,2}. To simulate 
the input of the first module, we use an update with an uninterpreted function: 
Pinp := Olin: =~ f(ini)]. We require that if some property p holds on mj’s 
input, p also needs to hold hold on mg’s output: Yspec := O(p(in1) > Op(ins)). 
Our algorithm determines within 8s that (Yinp ^A v1 A P2) A 7Wspec is satisfiable, 
detecting an inconsistency: If mı stores some value on which p holds, it may 
overwrite it before mz copies it, preventing the value to reach mg’s output. 

The Filter benchmark studies a system that “passes through” an input value 
to a cell if it fulfills a certain property p and holds the previous value otherwise: 
Pfilter = out =~ d()] AOD((p(in) > [out = in]) A(Ap(in) > [out = out])), 
where d is a constant representing an initial default value. The default value 
fulfills p, i.e., Yfact := Op(d()). As for the chain, inp := Olin ~ f(in)] 
simulates the input. The filter is valid if p holds on all outputs after the ini- 
tialization: Yspec := OOp(out). Within 400ms, the algorithm confirms that 
(Yinp A Pfact N Pfilter) \ 7Yspec is unsatisfiable, validating the filter. 


8 Related Work 


Linear-time temporal logic (LTL) [82] is one of the most popular specification 
languages for reactive systems. It is based on an underlying assertion logic, such 
as propositional logic, which is extended with temporal modalities. Satisfiability 
of propositional LTL has long known to be decidable [37] and there are efficient 
tools for LTL satisfiability checking [36,25]. 

While propositional LTL is very common, especially in hardware verification, 
LTL with richer assertion logics, such as first-order logic and various theories, 
have long been used in verification (cf. [28]). Temporal Stream Logic (TSL) [15] 
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was introduced as a new temporal logic for reactive synthesis. In the original 
TSL semantics, all functions and predicates are uninterpreted. TSL synthesis 
is undecidable in general, even without inputs or equality, but can be under- 
approximated by the decidable LTL synthesis problem [15]. TSL has been used 
to specify and synthesize an arcade game realized on an FPGA [17]. 


Constraint LTL (CLTL) [6] extends LTL with the possibility of expressing 
constraints between variables at bounded distance. A constraint system D con- 
sists of a concrete domain and an interpretation of relations on the domain. 
In Constraint LTL over D (CLTL(D)), one can relate variables with relations 
defined in D. Similar to updates in TSL, CLTL can specify assignment-like state- 
ments by utilizing the equality relation. Like for all constraints allowing for a 
counting mechanism, LTL with Presburger constraints, i.e., CLTL(Z, =, +), is 
undecidable [6]. However, there exist decidable fragments such as LTL with finite 
constraint systems [4] and LTL with integer periodicity constraints [5]. Permit- 
ting constraints between variables at an unbounded distance leads to undecid- 
ability even for constraint systems that only allow equality checks on natural 
numbers. Restricting such systems to a finite number of constraints yields decid- 
ability again [9]. In TSL modulo theories, a theory is given from which a model 
can be chosen. In CLTL, in contrast, the concrete model is fixed. Therefore, TSL 
modulo theories cannot be encoded into CLTL in general. 


LTL has been extended with the freeze operator [8,7], allowing for storing 
an input in a register. Then, the stored value can be compared with a current 
value for equality. Freeze LTL with two registers is undecidable [26,10] . For flat 
formulas, i.e., formulas where the possible occurrences of the freeze operator are 
restricted, decidability is regained [10]. Similar to the freeze operator, updates 
in TSL allow for storing values in cells and in TSL modulo the theory of equality 
the equality check can be performed. In TSL, we can perform computations on 
the stored values which is not possible in freeze LTL. Hence, freeze LTL can 
be seen as a special case of TSL. Constraint LTL has been augmented with the 
freeze operator as well [10]. For an infinite domain equipped with the equality 
relation, it is undecidable. For flat formulas, decidability is regained [10]. 


The temporal logic of actions (TLA) [24] is designed to model computer 
systems. States are assignments of values to variables and actions relate states. 
Actions can, similar to updates in TSL, describe assignments of variables. A TLA 
formula may contain state functions and predicates. Actions and state functions 
are combined with the temporal operators and ©. In contrast to TSL, O and U 
are not permitted. The validity problem for the propositional fragment of TLA, 
i.e., with uninterpreted functions and predicates, is PSPACE complete [35]. 


Similar to temporal logics, dynamic logic [33,19] is an extension of modal 
logic to reason about computer programs. Dynamic logic allows for stating that 
after action a, it is necessarily the case that p holds, or it is possible that p 
holds. Compound actions can be build up from smaller actions. In propositional 
dynamic logic (PDL) [16], data is omitted, i.e., its terms are actions and propo- 
sitions. PDL satisfiability is decidable in EXPTIME [34]. First-order dynamic 
logic (FODL) [18] allows for including data: First-order quantification over a 
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first-order structure, the so-called domain of computation, is allowed. Dynamic 
logic does not contain temporal operators such as [J or <. Since we consider 
reactive systems, i.e., systems that continually interact with their environment, 
temporal logics are better suited than dynamic logics for our setting. 

Symbolic automata (see e.g. [2,3]) and register automata [21] are extensions 
of finite automata that are capable of handling large or infinite alphabets. Reg- 
ister automata have additionally been considered over infinite words in some 
works (see e.g. [8,22,12]). Similar to BSAs, transitions of symbolic automata are 
labeled with predicates over a domain of alphabet symbols. Register automata 
are equipped with a finite amount of registers that, similar to cells in BSAs, can 
store input values. Symbolic register automata (SRAs) [1] combine the features 
of both automata models. BSAs have the additional ability to modify the stored 
values and thus to perform actual computations on them. Moreover, they read 
infinite instead of finite words. Thus, SRAs can be seen as a special case of BS As. 

More recently, the verification of uninterpreted programs has been investi- 
gated [29]. Uninterpreted programs are similar to WHILE-programs with equality 
and uninterpreted functions and predicates. They are annotated with assump- 
tions. The verification of uninterpreted programs is undecidable in general; for 
the subclass of coherent uninterpreted programs, however, it is decidable [29]. 
The verification problem has been extended with theories, i.e., with axioms over 
the functions and predicates [30]. Adding axioms to coherent uninterpreted pro- 
grams preserves decidability for some axioms, e.g., idempotence, while it yields 
undecidability for others, e.g., associativity. The synthesis problem for uninter- 
preted programs is undecidable in general, but decidable for coherent ones [23]. 


9 Conclusion 


We have extended Temporal Stream Logic (TSL) with first-order theories and 
formalized the satisfiability and validity of a TSL formula in a theory. While we 
show that TSL satisfiability is neither semi-decidable nor co-semi-decidable in 
the theory of uninterpreted functions Ty, the theory of equality Tg, and Pres- 
burger arithmetic Ty, we identify three fragments for which satisfiability in Ty 
is (semi-)decidable: For reachability formulas as well as for formulas with a sin- 
gle cell, TSL satisfiability in Ty is semi-decidable. For slightly more restricted 
reachability formulas, it is decidable. Moreover, we have presented an algorithm 
for checking the satisfiability of a TSL formula in the theory of uninterpreted 
functions that is based on Biichi stream automata, an automaton representation 
of TSL formulas introduced in this paper. Satisfiability checking has various ap- 
plications in the specification and analysis of reactive systems such as identifying 
inconsistent requirements during the design process. We have implemented the 
algorithm and evaluated it on three different benchmark series, including con- 
sistency checks and assumption validations: The algorithm terminates on many 
randomly generated formulas within one second and scales particularly well for 
satisfiable formulas. Moreover, it is able to prove or disprove consistency of re- 
alistic benchmarks and to validate or invalidate their assumptions. 
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Abstract. Many type systems include infinite types. In session type 
systems, infinite types are important because they specify communi- 
cation protocols that are unbounded in time. Usually infinite session 
types are introduced as simple finite-state expressions rec X.T or by non- 
parametric equational definitions X = T. Alternatively, some systems of 
label- or value-dependent session types go beyond simple recursive types. 
However, leaving dependent types aside, there is a much richer world of 
infinite session types, ranging through various forms of parametric equa- 
tional definitions, to arbitrary infinite types in a coinductively defined 
space. We study infinite session types across a spectrum of shades of grey 
on the way to the bright light of general infinite types. We identify four 
points on the spectrum, characterised by different styles of equational 
definitions, and show that they form a strict hierarchy by establishing 
bidirectional correspondences with classes of automata: finite-state, 1- 
counter, pushdown and 2-counter. This allows us to establish decidability 
and undecidability results for type formation, type equivalence and dual- 
ity in each class of types. We also consider previous work on context-free 
session types (and extend it to higher-order) and nested session types, 
and locate them on our spectrum of infinite types. 


Keywords: Infinite types - Recursive types - Session types - Automata and 
formal language theory 


1 Introduction 


Session types [19,20,23,38] are an established approach to specifying commu- 
nication protocols, so that protocol implementations can be verified by static 
typechecking or dynamic monitoring. The simplest protocols are finite: for ex- 
ample, ?int.!bool.end describes a protocol in which an integer is received, then a 
boolean is sent, and that’s all. Most systems of session types, however, include 
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equi-recursive types for greater expressivity. A type that endlessly repeats the 
simple send-receive protocol is X such that X = ?int.!bool.X, which can also 
be specified by rec X.?int.!bool.X. More realistic examples usually combine re- 
cursion and choice, as in Y such that Y = &{go: ?int.!bool.Y, quit: end} which 
offers a choice between go and quit operations, each with its own protocol. A 
natural observation is that session types look like finite-state automata, but 
some systems from the literature go beyond the finite-state format: for exam- 
ple, context-free session types [39] and nested session types [9,10], as well as 
label-dependent session types [40] and value-dependent session types [41]. 

Even without introducing dependent types, a range of definitional formats 
can be considered for session types, presumably with varying degrees of expres- 
sivity, but they have never been systematically studied. That is the aim of the 
present paper. We consider various forms of parameterised equational defini- 
tions, illustrated by six running examples. Because our formal system only has 
one base type, the terminated channel type end, the running examples simply 
use end (or skip for context-free session types) as a representative basic message 
type that could otherwise be bool or int. 

Our study of classes of infinite types should be generally applicable; we make 
it concrete by concentrating on session types where (potential) infinite types 
occur naturally. For the sake of uniformity, all our non-finite session types are 
introduced by equations, rather than, say, rec-types. Equations may be further 
parameterized, thus accounting for types that go beyond recursive types. The 
examples below illustrate the different kinds of parameterized equations we use. 


Example 1 (No parameters). Type Tioop is X with equation X = !end.X. Intu- 
itively Tioop = !end.!end... continuously outputs values of type end. 


Example 2 (One natural number parameter). Assuming z and s as the natural 
number constructors and N as a variable over natural numbers, type Teounter is 
X (z) with equations 


X (z) = &{ine: X(sz),dump: Y(z)} Y (z) = end 
X(s N) = &{inc: X (ss N}, dump: Y (s N)} Y (s N) = !end.Y (N) 


A sequence of n inc operations followed by a dump triggers a reply of n end 
output messages. 


Example 3 (Contezt-free types). With type skip used either to finish a session 
or to move to the next operation, type Tiree is X with equation 


X = &{leaf: skip, node: X;?skip; X} 


The leaf choice terminates the reception of a binary tree of skip values and 
the node choice triggers the reception of a (left) tree, followed by ’skip (root), 
followed by a (right) tree. Even though the development in the rest of the paper 
considers higher-order types (where messages may convey arbitrary types rather 
than skip alone), for simplicity our example is first-order. 
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Example 4 (One list parameter). Assuming o and 7 as symbols and S as a 
variable over sequences of symbols (with £ the empty sequence), type Tincta is 
X (e) with equations 


X (e) = &{addOut: X (o), addIn: X (r)} 
X (oS) = &{addOut: X(o0S),addIn: X (ToS), pop: !end.X (S)} 
X (TS) = &{addOut: X(o7S),addIn: X (TTS), pop: ?end.xX (S')} 


Type Tincta records simple protocols composed of !end and ?end messages. Sym- 
bol o in a parameter to a type identifier X denotes an output message and 
symbol 7 an input message. The protocol behaves as a stack with two distinct 
push operations (addOut and addIn). The symbol (o or T) at top of the stack 
determines whether a pop operation triggers !end or ?end, respectively. 


Example 5 (Nested types). Taking a as a variable over types, type Thest is Xe 
with equations 


Xe = &{addOut: Xour(X-), addIn: Xin Xel} 
Xout (a) = &{addOut: Xout (Xout(@)), addIn: Xin(Xout(a)), pop: !end.a} 
Xin(a) = &{addOut: Xout(Xin(a)), addIn: Xin (Xin(a)), pop: ?end.a} 


Type identifiers such as X+, Xout, Xin take an arbitrary but fixed number of 
arguments. Type Thest behaves as Tmeta in Example 4. The alignment should be 
clear if we take, e.g. Xoui(Xin(a)) for X(o7S), with o denoting output and 7 
denoting input. Type identifiers Xout and X;, play the roles of stack symbols 
(symbols at the top of the stack, o or T); type variable a denotes the lower part 
of the stack (S in Example 4). 


Example 6 (Two natural number parameters). Type Titer is X (z,z) with 


X (z,N") = ?end.Y (z,s N’) Y(N,z) = X(N,z) 
X (s N,N’) = !end.X(N,s N’) Y(N,sN’) = Y(sN,N’) 


Informally, writing !end” for a sequence of n output end messages, these defini- 
tions give Titer = ?end.!end’.?end.!end*.?end.!end?. . . 


It is intuitively clear that Examples 2 and 4 to 6 cannot be expressed without 
parameters. It is perhaps less clear that each definitional style in Examples 1, 2, 
4 and 6 is strictly more expressive than the previous one. This is the main result 
of the paper. We establish a hierarchy from finite session types all the way up 
to non-computable types that have no representation at all. The latter certainly 
exist, because for every infinite binary expansion of a real number between zero 
and one there is a session type derived by mapping 0 to send and 1 to receive 
— for cardinality reasons, almost all of these types are non-computable. 

Our methodology is to develop the connection between session types and au- 
tomata, in particular between progressively more expressive definitional styles 
of types and progressively more powerful classes of automata. We also consider 
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the formal language class corresponding to each class of automata, and the de- 
cidability of important properties such as contractiveness, type formation, type 
equivalence and type duality. Our results are summarised in the table below, 
establishing a hierarchy of session types in parallel to the Chomsky hierarchy of 
languages, where by a 1-counter language, we mean a language accepted by a 
(deterministic) 1-counter automaton and where DCFL abbreviates deterministic 
context-free languages. The final row of the table emphasises that it is impos- 
sible to give an explicit example of a non-computable type or to even state the 
decision problems. 

Context-free and 1-counter types are incomparable. Essentially, both models 
lie between levels 2 and 3 of the Chomsky hierarchy and correspond to different 
restrictions of deterministic pushdown automata. Context-free types correspond 
to constraining automata with a single state, whereas 1-counter types correspond 
to constraining the stack to have a single symbol. 


Type class [Example Contractiveness Type duality / Language model 
equivalence 
Finite lend.end Polytime Polytime Finite languages 
Recursive Lisop Polytime Polytime Regular languages 
1-counter Tosuner Polytime Polytime l-counter languages 
HO context-free| Tiree Polytime Decidable Open? 
Pushdown Tineta Polytime Decidable DCFL 
Nested Thai Polytime Decidable DCFL 
2-counter Tse Undecidable | Undecidable Decidable languages 
Non-computable]| = — — = General languages 


Our main contributions can be summarized as follows. 


— We propose three novel formal systems for representing session types (1- 
counter, pushdown, 2-counter), show that they are strictly more expressive 
than recursive session types, and that each system is strictly more expressive 
than the previous one (Theorem 1). 

We show that nested session types [9] are equivalent to pushdown session 
types (Theorem 1). 

We introduce higher-order context-free session types and show that they 
stand between recursive and pushdown types, strictly (Theorem 1). 

We characterize each of the novel session types in our paper by a corre- 
sponding class in the Chomsky hierarchy of languages. Notably, we show 
that each model captures precisely the power of the corresponding class of 
automata (Theorem 2). This is in contrast with the results of Das et al. [9], 
who only show (in one direction) that nested session types can be simulated 
by deterministic pushdown automata. 

We prove that type formation, type equivalence and type duality are de- 
cidable up to pushdown session types (Theorem 3), but undecidable for 2- 


3Possibly languages accepted by a single-state pushdown automata with empty 
stack acceptance. 
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Polarity and view 
TU Vaw 
na E-M 
(29(t 225826 iTV =t0.w oa) 
TSU. Wer) (E-CHOICE) 
Type formation T type #{£: Te}eer ~ x{£: Ueheer 
end type (T-Enp) Duality = 
T type U type 7l To Goa e=& 
#T.U type (EMG 
Tıtype (VEEL) (T-CHOICE) end L end (D-END) 
x{l: Te jeer type Tx¥U VLIW 
ees (D-Msa) 
Type equivalence oy ee me L) 
£ l E 
x{L: Tepeer L F{L: Ucheer 
end ~ end (E-END) (D-CHoIcE) 


Fig. 1. Finite and infinite types. 


counter session types (Theorem 4). This implies that equivalence for higher- 
order context-free session types is decidable. The decidability results are not 
entirely unexpected, given that type equivalence for nested session types was 
recently shown to be decidable [9], and that these are equivalent to pushdown 
types. However, our proofs are independent of Das et al. [9]. 


Organization of the paper In Section 2 we introduce the various classes of ses- 
sion types. In Section 3 we explain how to associate to each given type a labelled 
infinite tree, as well as a set which we call the language of traces of that type. 
We also present our results on the strict hierarchy of types and state how pre- 
viously studied classes of types fit into this hierarchy (Theorem 1). In Section 4 
we describe how to convert a type into an automaton accepting its traces. In 
Section 5 we travel in the converse direction, i.e., from an automata into the cor- 
responding type, and present a characterisation theorem of the different types in 
our hierarchy (Theorem 2). We then present our main algorithmic results: type 
formation, type equivalence and type duality are all decidable up to pushdown 
types (Theorem 3), and undecidable for 2-counter types (Theorem 4). Due to 
space constraints, all proofs and additional details can be found in the extended 
version of our paper at arXiv [16]. 


2 Shades of types 


The finite world Finite types are in Fig. 1. The syntax of types is introduced 
via formation rules, paving the way for infinite types. Session types comprise 
the terminated type end, the input type ?T.U (input a value of type T and 
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Type contractivity (ind.) T contr | | New equivalence rules (coind.) |T ~T 
end contr C-END = ~ 
( )| AEG Ucontr UST (E-ConsL) 
#T.U contr C-Msca) X aT 
x{£: Tepee contr (C-CHOICE) X=U Z contr TU (E-ConsR) 
X=T Tcontr (C-In) a 
X contr New duality rules (coind.) TLT 
New formation rules (coind.) T type X=U Ucontr ULT er 
= KLT i 
X =T Tcontr T type 
A (T-ID) X=U Ucontr TLU (D-IDR) 
np TLA 


Fig. 2. Recursive types. Extends Fig. 1. 


continue as U), the output type !7.U (output a value of type T and continue 
as U), external choice &{/: Ty}cer (receive a label k € L and continue as Ty) 
and internal choice @{¢: Ty}rex (select a label k € L and continue as T). To 
avoid repeating similar rules, we use the symbol { to denote either ? or !, and the 
symbol « to denote either & or @. At this point type equivalence is essentially 
syntactic equality, but the rule format allows for seamless extensions to infinite 
settings. Types, type equivalence and duality are all standard [15,20,44]. Note 
that rule D-Msc defines duality with respect to type equivalence: !T.V and 
?U.W are dual types iff the type being exchanged is the same (T ~ U) and the 
continuations are dual (V L W). 

For finite types all judgements in Fig. 1 are interpreted inductively. For ex- 
ample, we can show that !(?end.end).!end.end is a type by exhibiting a finite 
derivation ending with this judgement. 


The recursive world Recursive types suggest the first glimpse of infinity. The 
details are in Fig. 2. Recursion is given via equations, rather than p-types for 
example, for easier extension. Towards this end, we introduce type identifiers X 
and equations of the form X = T. The set of type identifiers is finite. We further 
assume at most one equation for each type, so that there are finitely many type 
equations. Every valid type T is required to be contractive, that is T contr. 
Contractiveness ensures that types reveal a type constructor after finitely many 
unfolds, and excludes undesirable cycles that don’t describe any behaviour, e.g. 
cycles of the form {X = Y,Y = Z,Z = X}. Contractiveness is inductive: we 
look for finite derivations for T contr judgements. A coinductive interpretation of 
the rules would allow to conclude X contr given an equation X = X. In contrast, 
type formation, type equivalence and duality are now interpreted coinductively. 

For example, no finite derivation would allow showing that Tioop type. Instead 
we proceed by showing that set {end,!end.X, X} is backward closed [34] for the 
rules for T type in Fig. 2, given that !end.X, the right-hand side of the equation 
for X, is contractive. 
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Natural numbers X(sN) =T T[n/N] contr T[n/N] type 
X (sn) type 
m e= | sin (T-s) 


New contractivity rules (ind.) | T contr 


X(z)=T T contr 
X (z) contr 
X(sN) =T  T{[n/N] contr 


(C-z) | New equivalence rules (coind.) |TT 


C-s 
Bien conii m X(z) =U Ucontr UST EZL 
New formation rule (coind.) T type XSST a) 
. X(sN) =U U[n/N] contr U[n/N] =T 
X(z)=T Tcontr T type (T-2) Kena? 
X (z) type (E-sL) 


Fig. 3. 1-counter types. Extends Fig. 2; removes X; adds X(n). Right versions of rules 
E-zL and E-sL omitted. New rules for duality obtained from those for equivalence by 
replacing ~ by L. 


The 1-counter world The next step takes us to equations parameterised on 
natural numbers. The details are in Fig. 3. Natural numbers are built from 
the nullary constructor z and the unary constructor s. We discuss the changes 
from the recursive world in Fig. 2. Given a variable N on natural numbers, 
to each type identifier X we associate at most two equations, X(z) = T and 
X(s N) = U. The rules for recursive types are naturally adapted to 1-counter 
types. Here again, type formation requires a suitable notion of contractiveness 
to exclude cycles of equations that never reach a type identifier, e.g. cycles of 
the form {X(s N) = Y (ss N), Y (s N) = X(N)}. The right-hand-side of an equa- 
tion X(sN) = T is not necessarily a type for it may contain natural number 
variables (N in particular). However, if n is a natural number, then T[n/N] 
(that is, T with occurrences of N replaced by n) should be a type (cf. rule 
T-s). Again, to prove that Teounter type, we show backward closure of the set 
{X (n), Y (n), end, !end.Y (n), &{ine: X(sn),dump: Y(n)} | n nat} for the type 
formation rules. 


Higher-order context-free session types A little detour takes us to context-free 
session types, proposed by Thiemann and Vasconcelos [39] (see also Almeida et 
al. [1]). Here we follow the distilled presentation of Almeida et al. [2], extending 
types to the higher-order setting (that is, allowing ?T and !T for an arbitrary 
type T instead of just basic type skip). 


The pushdown world The next extension replaces natural numbers by finite 
sequences s of symbols o taken from a given stack alphabet. The details are in 
Fig. 4. We use £ to denote the empty sequence. The extension from 1-counter 
is straightforward. Parameters to type identifiers are now sequences of symbols, 
rather than natural numbers; all the rest remains the same. Once again, to show 
that Tincta type, we proceed coinductively. 
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Strings X(oS)=T T{s/S]contr T[s/S] type 
fete os | OSs X (as) type 
: ; (T-s) 
New contractive rules (ind.) T contr 
X(e)=T T contr c 
X (e) contr (C-z) New equivalence rules (coind.) ToT 
X (aS) = Peis) contr (C-s) 
(Fe contr Xle) =U Ucontr UT (E-2L) 
New formation rules (coind.) T type Xe) eT 
en X(aS) =U U|[s/S] contr U[s/S] ~ T 
(e) = contr ype (T-2) X(os)=T 
X (£) type (E-sL) 


Fig. 4. Pushdown types. Extends Fig. 2; removes X; adds X (s). Right versions of rules 
E-zL and E-sL omitted. For duality, proceed as in Fig. 3. 


Nested session types A class of types that turns out to be equivalent to pushdown 
types was recently proposed by Das et al. [9]. The main idea is to have type 
identifiers that are applied not to natural numbers or to sequences of symbols 
but to types themselves, and to let type identifiers take a variable (but fixed) 
number of parameters. 


The 2-counter world 2-counter types extend the 1-counter types by introducing 
equations parameterised on two natural numbers, rather than one. The new rules 
are a straightforward adaptation of those in Fig. 3 for 1-counter types and are 
thus omitted. To show that Titer type, we proceed coinductively. 


The infinite world The final destination takes us to arbitrary, coinductive, in- 
finite types. The details are in Fig. 1, except that all judgements not explicitly 
marked are taken coinductively. No equations (of any sort) are needed, just plain 
infinite types. We also allow choices with an infinite number of branches. 

Infinite types arise by interpreting the syntax rules coinductively, which gives 
rise to potentially infinite chains of interactions. The structure of these arbitrary, 
coinductively defined, infinite types does not need to follow any pattern (e.g. it 
does not need to repeat itself), and arguably, the best way to think about these 
objects are as labelled infinite trees (Section 3). Such objects do not have in 
general a finite representation (or finite encoding), which can be shown by a 
simple cardinality argument. Hence the need for finding suitable subclasses of 
infinite types that can be represented and can be used in practice. 

We can think of a type in two possible ways: as (one of) its representation(s), 
which is great for practical purposes as we can reason about types by reasoning 
about their representations; or as the underlying, possibly infinite, coinductive 
object which is being represented, which is suitable for developing a theory of 
types, in particular for comparing different models with one another. 
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3 Types, trees and traces 


It should be clear that the constructions defined in Section 2 form some sort of 
type hierarchy; this section studies the hierarchy. In any case, every type lives 
in the largest universe; that of arbitrary, coinductively defined, infinite types. 
To each type one can associate a labelled infinite tree [14,32]. This tree can 
in turn be expressed by the language of words encoding its paths. Let L be the 
set of labels used in choice types. Following Pierce [32, Definition 21.2.1], a tree 
is a partial function t € ({d,c} UL)* > {end,?,!,&z,@z | L C L} subject to 
the following constraints (o ranges over symbols and 7 over strings of symbols): 


— t(e) is defined; 

— if t(7o) is defined, then t() is defined; 

— if t(n) =? or t(7) =!, then t(zc) is defined for ø € {d,c} and undefined for 
all other øg; 

— if t(n) = & or t(7) = 9z, then t(ro) is defined for o € L and undefined for 
all other o; 

— if t(7) = end, then t(ro) is undefined for all ø. 


The labels d and c are abbreviations for data and continuation, corresponding 
to the two components of session types for messages. 

If all sets L in a tree are finite, the tree is finitely branching. The tree gen- 
erated by a (finite or infinite) type is coinductively defined as follows. 


treeof (i Ty.T.)(€) = tt treeof(x{l: Tr}eer)(€) = xz 
treeof (it Ty.T-)(da) = treeof(T4)(7) treeof(x{0: Te yeer) (lr) = treeof (Tp) (7) 
treeof({ Ty.Te) (cr) = treeof(T-) (7) treeof (end) (£) = end 


A path in a tree t is a word obtained by combining the symbols in the 
domain and the range of t. Given a symbol o € {?,!,&L,®z | L C L} in 
the codomain of t (but different from end), and a symbol 7 € {d,c} UL, let (0,7) 
denote the combination of both symbols, viewed as a letter over the alphabet 
{2,1 &L, r | LEL} x ({d,c} UL). For simplicity in exposition, we often drop 
the angular brackets and the subscript L on the label set, and write, for example, 
?c instead of (?,c), @l instead of (z, 1), etc. 

Given a string m in the domain of a tree t, we can define the word path; (7) 
recursively as path,(¢) = € and path, (mT) = path, (r) - (¢(7), 7). We say that a 
string m is terminal wrt to t if t(m) = end. For terminal strings, we can further 
define dpath,(7) = path, (7) - end. 

Finally, we can define the language of (the paths in) a tree t as the set 
{path,(7) | m € dom(t)} U {dpath,(7) | m € dom(t), m is terminal wrt t}. The 
language of (the traces of) a type T, denoted by £(T), is the language of 
treeof (T). Note that the traces of types are defined over the following alpha- 
bet. 

X = {?,!,&1, z | LCL} x ({d,c}UL)U {end} (1) 
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Fig. 5. The tree and the language of type Ticop. 
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Fig. 7. The tree and the language of type Tiree. 


Figure 5 depicts (a finite fragment of) the tree corresponding to treeof (Tioop) 
(Example 1) and (some of the words in) its language £ (Toop). Type Teounter (EX- 
ample 2) describes an interaction that keeps track of a counter. Finite fragments 
of the corresponding tree and language are depicted in Fig. 6. Type Tyree (Ex- 
ample 3) describes the reception of a binary tree of end values. Finite fragments 
of the corresponding tree and language are depicted in Fig. 7. 

In the above examples, the language £(T) is closed under prefixes. This holds 
for a general type T, since elements of L(T) correspond to paths in treeof(T’). 


Proposition 1. If w € L(T) and u is a prefix of w then u € L(T). 
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Another immediate observation is that treeof (resp. £) is an embedding from 
the class of all types to the class of all trees (resp. all languages). 


Proposition 2. Let T and U be two types. The following are equivalent: a) 
T ~ U; b) treeof(T) = treeof(U); c) L(T) = L(U). 


Proposition 2 tells us that two types are equivalent iff they have the same 
traces. In general, trace equivalence is a notion weaker than bisimulation [34]. 
However, both notions coincide for deterministic transition systems. The syntax 
of (infinite) session types is in fact deterministic (e.g. given a label £ for a choice, 
there can only be one type that continues from &¢@), which explains our result. 

Section 2 introduces eight classes of types. We now distinguish them by means 
of subscripts: finite types (T types, Fig. 1), recursive types (T type,, Fig. 2), 1- 
counter types (T type, Fig. 3), context-free types (T type, ), pushdown types 
(T type,, Fig. 4), nested types (T type, ), 2-counter types (T type2) and coin- 
ductive, infinite types (T type,,, Fig. 1 with rules interpreted coinductively). 
To each class of types we introduce the corresponding class of languages. For 
example, T, is the set {£(T) | T type,}. The strict hierarchy result is as follows: 


T: OT, G Ti © Tp G T2 CTH 


We remark that the last step in the chain of strict inclusions is obtained by 
a cardinality argument, since the set Tə is uncountable. This shows an even 
stronger statement: for any finite representation system (including the systems 
Tr to To, as well as T. and T,,), there is an infinite, uncountable set of types that 
cannot be represented by that system. 

We now turn our attention to nested types (T type,), which turn out to be 
equivalent to pushdown types, and further establish equivalent sub-hierarchies 
inside both classes, parameterised by the ‘complexity’ of the corresponding rep- 
resentations. For pushdown session types, a natural measure of complexity is the 
number of type identifiers required to represent a given type. This number can 
be arbitrarily large, but always finite. For a given n € N, we let Tọ denote the 
subset corresponding to those types that can be represented with at most n type 
identifiers. When n = 0, there are no identifiers, and we can only represent finite 
types. As n increases, so does the expressivity of our constructions, and we have 
the infinite chain of inclusions* 


Tr=T, ST, CT, C CTh. 

Similarly, for nested session types we can define a hierarchy by looking at the 
arities of the type identifiers used. For a given n € N, we let T} denote the subset 
corresponding to the nested session types whose type identifiers have arity at 
most n. When n = 0 all type identifiers are constant, and we recover the class 
of recursive types. As n increases, so does the expressivity, and we also have an 


infinite chain of inclusions* 


T= a a T C- CTh- 


tAlthough not proven, we conjecture that all inclusions are strict. 
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It turns out that these hierarchies are one and the same (with the exception 
of the bottom level), so that we have + 


Tr=T ST, =T Ct =T] CT} =f C- CT, =T. 


Higher-order context-free types (denoted by T+) lie between levels 0 and 1 
in the sub-hierarchies above, i.e., they can represent recursive types, and can 
be represented by pushdown session types using at most one type identifier, or 
equivalently, by nested session types with either constant or unary type identi- 
fiers, so that we have 

T, G T. Ç T} = T}. 


We have a stronger observation than the inclusion Te Ç T: Context-free 
session types are included in pushdown session types which have only one type 
identifier X, and where the equation X (£) = end accounts for the only occurrence 
of end. The latter means that the type ends iff the state X (£) is reached, that 
is, iff the stack is empty. Thus, we can intuitively think of context-free session 
types as pushdown types with a single identifier and an empty stack acceptance 
criterion. This observation points to the fact that the qualifier ‘context-free’ in 
the so called context-free session types is a misnomer [9]. 

The result below summarises the entire hierarchy. 


Theorem 1 (Inclusions). 


T; = T)¢ T, = Tf C t ç Te = TG Tye Te 
N UI 
pe l= eta ec 


4 From types to automata 


This section describes procedures to convert types in different levels of the hier- 
archy (recursive systems, 1-counter, pushdown and 2-counter) into automata at 
the same level. All constructions follow the same guiding principles, so we focus 
on the bottom level of the hierarchy (recursive systems) and then highlight the 
main differences as we advance in the hierarchy. 

All automata that we consider are deterministic and total, i.e., the transition 
functions are such that any input word has a well-defined, unique computation 
path. We use the alphabet X defined in (1). Standard references in automata 
theory are Hopcroft and Ullman’s book [22] and Valiant’s PhD thesis [42]. 


Recursive types and finite-state automata Following the usual notation, a (de- 
terministic) finite-state automaton is given by a set Q of states, with a specified 
initial state qo € Q, a transition function ô : Q x X > Q, and a set A C Q of 
accepting states. Given a finite word a a2--- Gy, its execution by the automaton 
yields the sequence of states s9,51,...,5n Where so = qo and 8;41 = Ô(Si, @i41). 
A word is accepted by the automaton if its execution ends in an accepting state. 
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The definition of finite-state automata can be augmented into other types of 
automata. Essentially: in a 1-counter automata we have access to a counter (with 
operations for incrementing, decrementing, and checking whether the counter is 
non-zero), in addition to the current state; in a pushdown automata we have 
access to a stack (with operations for pushing a symbol, popping a symbol, and 
observing the top symbol of the stack); in a 2-counter automata, we have access 
to two counters. 

Suppose we are given a system of recursive equations {X; = T; piez over a set 
X = {Xi hier (which may or may not be contractive, i.e., define a type). Our first 
step is to convert this system into a normal form in which every right-hand side 
is either a identifier X, or a single application of one of the type constructors end, 
?X.Y,!X.Y, &{l: Xehver or SL: Xe beer. We can do this by introducing fresh, 
intermediate identifiers as needed. Essentially, whenever we have an equation 
X = ?T,.T> where Tı, To are not identifiers, we add two new identifiers X’, X”, 
replace the above equation by X = ?X’.X”, and add two new equations X’ = T, 
and X” = Ty. The process is similar for the other type constructors. By doing 
this repeatedly, we “break down” a long equation into many small equations. The 
number of new identifiers is linear in the size of the original system of equations. 

Given such a system, we construct a finite-state automaton (over the alpha- 
bet X) as follows. The automaton has a state qx for every type identifier X, 
and two additional states: an ‘end’ state geng and an ‘error’ state derror- The tran- 
sitions from error are described by Gerror 4 error for every symbol a. Similarly, 
the transitions at qena are described by qend 5 error for every symbol a. The 
transitions at state qx are given by the corresponding equation for identifier X, 
in the obvious way. Some examples: 


— If our system contains equation X = Y, we have the ¢-transition qx È qy. 
— If our system contains X = !Y.Z, we have the reading transitions qx a qY, 


1 
qx Š qz, and qx $ error for any a # !d, !c. 
If our system contains X = ${1: X,m: Y }, we have the reading transitions 


1 
qx 2 dx, 4x op qy and qx 4 error for any a 4 Ql, am. 


If our system contains X = end, we have the reading transitions qx oig end 
and qx 5 error for any a + end. 


We define all states other than qerror to be accepting states.” Notice that the 
finite-state automaton described above is an automaton with possible ¢-moves. 
Although, by definition, deterministic finite-state automata do not permit €- 
moves, in our case paths of ¢-moves are uniquely determined and always reach a 
state without outgoing ¢-transitions (they cannot become stuck in a loop, assum- 
ing type contractivity). We can convert the given automaton into an equivalent 
automaton without ¢-moves by ‘shortcutting’ such moves. Formally, suppose a 


5We need all states to be accepting, since we might need to look at finite traces to 
distinguish between two types. For example, X = &{a: X} and Y = &{b: Y} define 
non-equivalent types that have no finite terminating paths. 
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. ld end 
X = lend.X Ic 


Fig. 8. An automaton for Tioop with initial state qx. All depicted states are accepting. 


state X has an outgoing e-transition to Y; by construction, it is X’s only out- 
going transition. Assuming X and Y are different states, we can change every 
transition entering X and make it enter Y instead; finally, we can remove state 
X (hence removing the ¢-transition from X). 

We show in Fig. 8 the automaton that corresponds to type Tioop (Example 1). 
Every missing transition points to error Which is not shown. In our examples, all 
depicted states are accepting, so we omit the usual double circle notation. 


1-counter types For 1-counter systems, the only difference in the above construc- 
tion is that instead of non-parameterised identifiers our equations now involve 
terms of the form X(z), X(sz), X(N), X(s N), etc. We assume for simplicity 
that the identifiers appearing in these equations are restricted as follows: if the 
left-hand side of an equation is of the form X (z), then the identifiers appearing 
in the right-hand side must be of the form X‘(z) or X’(sz) (with X’ possibly 
different from X); and if the left-hand side of an equation is of the form X (s N), 
then the identifiers appearing in the right-hand side must be of the form X'(N), 
X'(sN) or X‘(ssN). Any system can be converted into this form by adding 
finitely many new equations, e.g. X(z) = Y(sssz) can be rewritten as 


X (z) = X' (sz) X'(s N) = X” (ss N) X"(s N) =Y (ss N) 
and X (s N) = Y (z) can be rewritten as 
X(sN) = X'(N) X'(s N) = XN) X (=y eo. 


We can convert a 1-counter type into a (deterministic) 1-counter automaton, 
so that the transition function depends on whether the counter value is zero 
(corresponding to a left-hand side of the form X(z)) or positive (corresponding 
to a left-hand side of the form X (s N}). Furthermore, the changes in the counter 
value along the identifiers are incorporated by changes in the counter value along 
the automaton. For example, take equation X (s N} = Y (N). The corresponding 
transition from (qx,s,€) to gy decrements the counter. 

For illustration purposes, we show how to construct a 1-counter automaton 
accepting L(Teounter) from Example 2. First, we need to convert the equation 
for Y (s N) into normal form. We add an extra identifier Z and write 


X(z) = &{inc: X(sz),dump: Y(z)} X(sN) = &{inc: X(ssN), dump: Y(s N)} 
z) = end Y(sN) =!Z(sN).Y(N) 
Z(z) = end Z(sN) = end 


The corresponding automaton has states qx,qy,qz, one for each type identifier 
X,Y,Z, as well as an additional state qena. The outgoing transitions for state qx 
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X(z) = &{inc: X (sz), dump: Y (z)} Y (z) = end 
X(sN) = &{inc: X (ss N}, dump: Y (s N)} Y (s N) = lend. Y (N) 
-, &inc | + s,!c | — 


-, &dump | = 


qx 


s,!d |= (a) -,end | = 
qz 


z, end | = 


Fig. 9. A 1-counter automaton for type Teounter = X (z). The initial configuration is 
(qx,0). Here a transition 5(q, g,a) = (0, q’) is denoted by an arc from q to q’ with label 
g,a | o, where g € {z,s}, a € {e }U X, and o € {=, +, —}. If both g = z and g = s lead to 
the same transition, then we use the symbol - to refer to both transitions. All depicted 
states are accepting, and non-depicted transitions lead to a non-accepting sink state. 


are the same regardless of the counter value: either read &inc, incrementing the 
counter and staying in qx; or read &dump, keeping the counter value and moving 
to qy. For state qy, if the counter is zero, we can read end while moving to state 
dena- On the other hand, if the counter is non-zero, we can read !d, keeping the 
counter value and moving to qz; or read !c, decrementing the counter value and 
staying in gy. Finally, for state qz we can only read end and move to state qend- 
Whatever we write in the equation for 7(z) is irrelevant, as this configuration is 
unreachable. All of this gives the automaton in Fig. 9. 


Pushdown types Pushdown systems are similar, but now the behaviour of a 
identifier is specified by |A| + 1 equations, where A is the stack alphabet; one 
equation for each possible symbol at the top of the stack, and one equation for 
the case that the stack is empty. Accordingly, we use a (deterministic) pushdown 
automaton to simulate the stack contents by means of push and pop operations. 
The transitions from a state gx and a given stack indicator in {£} U A are once 
more given by the corresponding equation with X as the type identifier on the 
left-hand side. Fig. 10 shows a pushdown automaton accepting L(T meta). 


2-counter types The translation to 2-counter automata is as for the 1-counter 
case, but now the behaviour is specified by one of four different cases, depend- 
ing on which of the two counters is zero or non-zero. Accordingly, we use a 
(deterministic) 2-counter automaton with the appropriate transition function. 


5 From automata to types 


The construction in Section 4 explains how we can build an automaton from 
a system of equations at some level in the hierarchy. If X (ø) type,, then the 
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X(e) = &{addOut: X(c),addIn: X(r)} 
X (aS) = &{addOut: X(c0S),addIn: X (70S), pop: !end.X (S)} 
X (7S) = &{addOut: X(o7S),addIn: X (77S), pop: ?end.xX (S) } 


-,@addOut | +a 
-,@addIn | +8 


Fig. 10. A pushdown automaton for type Tincta = X (ce). The initial configuration is 
(qo,€). A transition 6(q,g,a) = (0,q') is denoted by an arc from q to q’ with label 
g,a | o, where g € {e}UA, a € {e} US, and o € Op. If all choices of g lead to the same 
transition, we use - to stand for all transitions. All depicted states are accepting. 


language of the type given by X (ø) is the language accepted by the automaton 
with initial configuration (qx,o) (and similarly for recursive, 1-counter, and 2- 
counter types). Conversely, given an automaton which accepts the language of 
traces of a type, we can construct the corresponding system of equations that 
specifies that type. This allow us to obtain a complete correspondence between 
classes of types and different models of computation based on automata theory. 
The following result is stronger than previous similar results which only show a 
forward implication [9]. Recall that a language is said to be regular if it is the 
set of words accepted by some finite-state automaton. We also say that a tree is 
regular if it has a finite number of distinct subtrees. 


Theorem 2 (Types, traces and automata). 


1. T type, iff L(T 
2. T type, iff L(T 
3. T type, iff £(T 
4. T types iff L(T 


sar 


is regular iff treeof(T) is regular. 

is accepted by a 1-counter automaton. 
is a deterministic context-free language. 
is decidable. 


wwe we’ 


We can now address the decidability of the key problems of type formation, 
type equivalence and type duality for our various classes of type languages. 


Theorem 3 (Decidability results). 


1. Problems T type,, T type, and T type, are all decidable in polynomial time. 
2. Problems T ~, U, T ~, U and T ~, U are all decidable. 
3. Problems T L, U, T L; U and T L, U are all decidable. 
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We are also able to prove that these problems are undecidable for 2-counter 
types, since Theorem 2 also provides a construction from automata to systems 
of equations, and the corresponding problems for automata are undecidable. 


Theorem 4 (Undecidability results). 
Problems T type, T ~2 U and T Lo U are all undecidable. 


6 Related work 


The first papers on session types by Honda [19] and Takeuchi et al. [38] feature 
finite types only. Recursive types were introduced later [20] using p-notation. 
Gay and Hole [15] introduce algorithms for deciding duality and subtyping of 
finite-state session types, based on bisimulation. Much of the literature on ses- 
sion types, surveyed by Hiittel et al. [23], uses the same approach. The natural 
decision algorithms for duality and subtyping presented by Gay and Hole were 
shown to be exponential in the size of the types by Lange and Yoshida [27], due 
to reliance on syntactic unfolding. Our polytime complexity for recursive type 
equivalence follows from the equivalence algorithm for finite-state automata by 
Hopcroft and Karp [21], and thus has quadratic complexity in the description 
size, improving on Gay and Hole. Lange and Yoshida use an automata-based 
algorithm to also achieve quadratic complexity for checking subtyping. 

We use a coinductive formulation of infinite session types. This approach has 
some connections with the work of Keizer et al. [25] who present session types 
as states of coalgebras. Their types are restricted to finite-state recursive types, 
but they do address subtyping and non-linear types, two notions that we do not 
take into consideration. Our coinductive presentation avoids explicitly building 
coalgebras, and follows Gay et al. [17], solving problems with duality in the 
presence of recursive types [5,17,28]. 

We have not addressed the problem of deciding subtyping, but the panorama 
is not promising. Subtyping is known to be decidable for recursive types T, [15] 
and undecidable for context-free types T, [31] or nested types with arity at most 
one T} [10], hence for pushdown types with one type constructor T4 (Theorem 1). 
The undecidability proof of the subtyping problem for context-free session types 
reduces from the inclusion problem for simple deterministic languages, which was 
shown to be undecidable by Friedman [13]. That for nested session types reduces 
from the inclusion problem for Basic Process Algebra [4], which was shown to 
be undecidable by Groote and Hiittel [18]. Given that l-counter types Tı and 
pushdown types with one type constructor le are incomparable (Theorem 1), 
the problem of subtyping for 1-counter types remains open. 

Dependent session types have been studied for binary session types [40,41], 
for multi-party session types [12,29,45] and for polymorphic, nested session types 
[9]. Although our parameterised type definitions have some similarities with 
definitions in some dependently typed systems, we do not support the connection 
between values in messages and parameters in types, and we have not yet studied 
how the types that can be expressed in dependent systems fit into our hierarchy. 
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Connections between multiparty session types and communicating finite- 
state automata have been explored by Deniélou and Yoshida [11] but the in- 
vestigation has not been extended to other classes of automata. 


Solomon [37] studies the connection between inductive type equality for 
nested types and language equality for DPDAs and shows that the equivalence 
problem for nested types is as hard as the equivalence problem for DPDAs, an 
open problem at the time. We follow a similar approach but define type equiva- 
lence as a bisimulation rather than as language equivalence. 


Many of the main results in this paper borrow from the theory of automata, 
developed in the mid-20th century. Here our standard reference is the book 
by Hopcroft and Ullman [22], where the notions of finite-state, pushdown, and 
counter automata can be found. 1-counter automata were studied in detail in 
Valiant’s PhD thesis [42]. To prove the equivalence between types and automata, 
we need to convert automata to satisfying certain properties; similar techniques 
have appeared in Kao et al. [24] and Valiant and Paterson [43]. Our proofs 
of decidability of type equivalence make use of the corresponding results for 
automata [8,21,33,35,36,43]; we specifically mention Sénizergues’ impressive re- 
sult on equivalence of deterministic pushdown automata [36], a work which 
granted him the Gödel Prize in 2002. Finally, the strict hierarchy results use 
textbook pumping lemmas for regular languages (due to Rabin and Scott [33]) 
and context-free languages (due to Bar-Hillel et al. [3] and Kreowski [26]), as well 
as a somewhat less known result for 1-counter automata (due to Boasson [7]). 


7 Conclusion 


We introduce different classes of session types, some new, others from the lit- 
erature, under a uniform framework and place them in n hierarchy. We further 
study different type-related problems—formation, equivalence and duality—and 
show that these relations are all decidable up to and including pushdown types. 


Much remains to be done. From the point of view of programming languages, 
one should investigate whether decidability results translate into algorithms that 
may be incorporated in compilers. Even if subtyping is known to be undecidable 
for most systems “above” that of recursive types, the problem remains open 
for 1-counter types, an interesting avenue for further investigation. Our study 
of classes of infinite types may have applications beyond session types. One 
promising direction is that of non regular datatypes for functional programming 
(or polymorphic recursion schemes [30]), such as nested datatypes [6]. 


We have not addressed the decidability of the type checking problem. Type 
checking is known to be decidable for finite types, recursive, context-free and 
nested session types. Given that type checking for nested session types is incor- 
porated in the RAST language [9], a natural first step would be to investigate 
how to translate 1-counter and pushdown processes into that language. 
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Abstract. The class of Basic Feasible Functionals BFF is the second- 
order counterpart of the class of first-order functions computable in poly- 
nomial time. We present several implicit characterizations of BFF based 
on a typed programming language of terms. These terms may perform 
calls to imperative procedures, which are not recursive. The type disci- 
pline has two layers: the terms follow a standard simply-typed discipline 
and the procedures follow a standard tier-based type discipline. BFF con- 
sists exactly of the second-order functionals that are computed by typable 
and terminating programs. The completeness of this characterization sur- 
prisingly still holds in the absence of lambda-abstraction. Moreover, the 
termination requirement can be specified as a completeness-preserving 
instance, which can be decided in time quadratic in the size of the pro- 
gram. As typing is decidable in polynomial time, we obtain the first 
tractable (i.e., decidable in polynomial time), sound, complete, and im- 
plicit characterization of BFF, thus solving a problem opened for more 
than 20 years. 


Keywords: Basic feasible functionals - Type 2 - Second-order - Polyno- 
mial time - Tiering - Safe recursion 


1 Introduction 


Motivations. The class of second-order functions computable in polynomial 
time was introduced and studied by Mehlhorn [27], building on an earlier pro- 
posal by Constable [10]. Kapron and Cook characterized this class using oracle 
Turing machines, giving it the name Basic Feasible Functionals (BFF): 


Definition 1 ([19]). A functional F is in BFF, if there are an oracle Turing 
machine M and a second-order polynomial’ P such that M computes F in time 
bounded by P(|f|, |x|), for any oracle f and any input x.* 


Since then, BFF was consensually considered as the natural extension to second- 
order of the well-known class of (first-order) polynomial time computable func- 
tions, FP. Notions of second-order polynomial time, while of intrinsic interest, 


3 Second-order polynomials are a type-2 analogue of ordinary polynomials. 
4 The size of an oracle f is a first-order function defined by |f|(n) = maxjy)<n | f(y). 
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have also been applied in a range of areas, including structural complexity the- 
ory [27], resource-bounded topology [29], complexity of total search problems [5], 
feasible real analysis [21], and verification [14]. 

Starting with Cobham’s seminal work [9], there have been several attempts to 
provide machine-independent characterizations of complexity classes such as (P 
and) FP, that is, characterizations based on programming languages rather than 
on machines. Beyond the purely theoretical aspects, the practical interest of such 
characterizations is to be able to automatically guarantee that a program can 
be executed efficiently and in a secure environment. For these characterizations 
to hold, some restrictions are placed on a given programming language. They 
ensure that a program can be simulated by a Turing machine in polynomial time 
and, therefore, corresponds to a function in FP. This property is called soundness. 
Conversely, we would like any function in FP to be computable by a program 
satisfying the restrictions. This property is called (extensional) completeness. For 
automation to be possible, it is necessary that the characterizations studied be 
tractable; that is, decidable in polynomial time. Moreover, they should preferably 
not require a prior knowledge of the program complexity. One speaks then of 
implicit characterization insofar as the programmer does not have to know an 
explicit bound on the complexity of the analyzed programs. 

In the first-order setting, different restrictions and techniques have been de- 
veloped to characterize the complexity class FP. One can think, among others, of 
the safe recursion and ramified recursion techniques for function algebras [6,24], 
of interpretation methods for term rewrite systems [8], or of light and soft linear 
logics typing-discipline for lambda-calculi [15,4,3]. 

In the second-order setting, a machine-independent characterization of BFF 
was provided in [16]. This characterization uses the tier-based (i.e., safe/ramified 
recursion-based) type discipline introduced in [26] on imperative programs for 
characterizing FP and can be restated as follows: 


BFF = A([ST])2, 


[ST] denotes the set of functions computed by typable and terminating pro- 
grams; A denotes the lambda closure, that is, for a given set of functionals X, 
A(X) is the set of functionals denoted by simply-typed lambda-terms using con- 
stants in X; Xə is the restriction of X to second-order functionals. Type inference 
for [ST] is fully automatic and can be performed in time cubic in the size of the 
analyzed program. However the above characterization has two main weaknesses: 


— It is not complete: As [ST] C BFF, the typed language alone is not complete 
for BFF and a lambda closure (i.e., A(X)) of functionals computed by typable 
and terminating programs is required to ensure completeness. 

— It is not tractable: the set [ST] relies on a termination assumption and it 
is unclear whether the characterization sill holds for a decidable or, for that 
matter, tractable termination technique. 


Thus, providing a tractable, implicit, sound, and complete programming lan- 
guage for characterizing second-order polynomial time is still an open problem. 
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Contributions. Our paper provides the first solution to this problem, open 
for more than 20 years. To this end, we introduce a higher-order programming 
language and design a suitable typing discipline that address the two weaknesses 
described above. The lambda closure requirement for completeness is removed 
by designing a suitable programming language that consists of a layer of simply- 
typed terms that can perform calls to a layer of imperative and non-recursive 
procedures following a tier-based type discipline. This language allows for some 
restricted forms of procedure composition that are handled by the simply-typed 
terms and also allows for some restricted forms of oracle composition that are 
managed through the use of closures, syntactic elements playing the role of first- 
order abstractions with free variables. The termination criterion is specified as 
a completeness-preserving instance, called SCPg, of a variant of Size Change 
Termination [23] introduced in [7] that can be checked in time quadratic in the 
size of the analyzed program. The main contributions of this paper are: 


— A programming language in which typable (SAFE) and terminating (SN) 
programs capture exactly BFF (Theorem 2). 

— A restriction to lambda-free programs, called rank-0 programs, such that 
typable (SAFE,) and terminating (SN) programs still capture exactly BFF 
(Theorem 3); hence showing that lambda-abstraction only provides a syn- 
tactic relaxation, and corresponds to a conservative extension in terms of 
computable functions. 

— A proof that type inference for SAFE is P-complete, and a type inference 
procedure running in time cubic in the program size for SAFE (Theorem 4). 

— A simple termination criterion, called SCPs, preserving soundness and com- 
pleteness of the characterizations both for SAFE and for SAFEo (Theorem 5) 
that can be checked in quadratic time. 

— A complete characterization of BFF in terms of typable (SAFE) and termi- 
nating (SCPg) programs (Theorem 6) that captures strictly more programs 
(Example 1) than [16], and is decidable in P-time. 


The contributions of the paper are a non-trivial extension of existing works: 


— The critical Programming Language design decisions rely mostly on the no- 
tion of continuation, that fixes a given oracle (closure) for once in the im- 
perative layer. If the oracle were allowed to be updated inside a while loop, 
depending on some local value, then the language would yield a class beyond 
BFF, by computing exponential functions. 

— It is a surprising result that the characterization of BFF still holds in the ab- 
sence of lambda-abstraction as a basic construct of the proposed program- 
ming language, in particular that completeness does not rely on lambda- 
abstractions. This is an important improvement over [16] and [20], both of 
which required external lambda-closure. 

— The type system is designed so that each procedure is typed exactly once. 
Types are not unique, but this does not prevent type inference from being 
polytime, as exhibiting one type is sufficient. The tractability of type in- 
ference is obtained by combining the tractabilities of type inference in the 
tier-based layer and in the simply-typed layer [25]. 
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— The particular choice of the termination criterion SCPg was made to show 
that termination can be specified as a tractable/feasible criterion while pre- 
serving completeness. This is also a new result. SCPs may include nested 
loops (as described in [7]) and can be replaced by any termination crite- 
rion capturing the programs of our completeness proof. SCPs was chosen 
for its tractability, but not only: the SCP criterion of [7] ensures termina- 
tion by using an error state which breaks the control flow. This control-flow 
break damages the non-interference property needed for tier-based typing to 
guarantee time complexity bounds. 


Leading example. The program ce of Example 1 will be our leading example, 
as it computes a function known to be in BFF — [ST] (i.e., it computes a function 
in BFF and not in [ST], see [20]). This program will be shown to be in SAFEo 
and, consequently, in SAFE and to terminate with SCPs. 


Example 1 (Program ce). Let W be the set of words. Let the operator € of arity 
0 represent the empty word constant, let the operator != test whether or not 
its arguments are distinct, and let the operator pred remove the first letter of a 
word. The binary operator | truncates and pads the size of its first operand to the 
size of its second operand plus 1. When the boxed variables X and y are fed with 
the inputs f € W > W and w € W, respectively, program ce calls procedure KS 
in the term t. Program ce computes |w| (i.e., the size of the word w) bounded 
iterations of f o f through the iteration of the assignment z := X2(z [ w) in 
procedure KS. The bound on the output size of each iteration is computed by 
the first assignment w := X4 (e | £) of KS and is equal to f(1) (that is, f([e tef), 
with [e | eJ=1; [e] being the result of evaluating the expression e). 


box [X,y] in 


declare 
KS(Xi, Xe, v) { 

var W,Z; 

vw = alela; } statement st 

4 = g Procedure p 

while (v != €) { ce 
v := pred(v); pStatement st’ 
a = woa fT a) 

} 


return z 


} 


in call KS({x — X @ x}, {x > X @ (X @ x)}, p þrem t 


Related work. Several tools providing machine-independent characterizations 
of distinct complexity classes have been developed in the field of Implicit Com- 
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putational Complexity (ICC). Most of these tools are restricted to the study of 
first-order complexity classes. Whereas light logic approaches can deal with pro- 
grams at higher types, their applications are restricted to first-order complexity 
classes such as FP [15,4,3]. Interpretation methods were extended to higher-order 
polynomials in [2] to study FP and adapted in [13] and [17] to characterize BFF. 
However, these characterizations are not decidable as they require checking of 
second-order polynomial inequalities. [12] and [18] study characterizations of BFF 
in terms of a simple imperative programming language that enforces an explicit 
external bound on the size of oracle outputs within loops. The corresponding 
restriction is not implicit by nature and is impractical from a programming per- 
spective as the size of oracle outputs cannot be predicted. In this paper, the 
bound is programmer friendly because it is implicit and it only constrains the 
size of the oracle input. 


2 A second-order language with imperative procedures 


The syntax and semantics of the programming language designed to capture the 
complexity class BFF are introduced in this section. Programs of this language 
consist in second-order terms in which imperative procedures are declared and 
called. These procedures have no global variables, are not recursive, and their 
parameters can be of order 1 (oracles) or 0 (local variables). Oracles are in read- 
only mode: they cannot be declared and, hence, modified inside a procedure. 
Oracles can only be composed at the term level through the use of closures, 
first-order abstractions that can be passed as parameters in a procedure call. 


Syntax. When we refer to a type-i syntactic element e (a variable, an expression, 
a statement, ...), for i € N, we implicitly assume that the element e denotes some 
function of order i over words as basic type. We will sometimes write et in order 
to make the order explicit. For example, e° denotes a word. This notion will be 
formally defined in Section 3. Let € denote a (possibly empty) tuple of n elements 
€1,---,@€n, where n is given by the context. Let |é| denote the length of tuple @, 
i.e., |e] = n. Let m;, i < |E], denote the projectors on tuples, i.e., m;(€) Ê e;. 

Let V be a set of variables that can be split into three disjoint sets V = 
Vo © Yı Vso. The type-0 variables in Vo will be denoted by lower case letters 
x,y,... and the type-1 variables in V, will be denoted by upper case letters 
X, Y,... Variables in V of arbitrary type will be denoted by letters a,b, a1, ag,.... 

Let O be a set of (type-1) operators op of fixed arity ar(op) that will be used 
both in infix and prefix notations for notational convenience and that are always 
fully applied, i.e., applied to a number ar(op) of operands. 

The programs are defined by the grammar of Figure 1. A program is either a 
term t°, a procedure declaration declare p in prog, or the declaration of a boxed 
variable a, called box, followed by a program: box [a] in prog. Boxed variables 
will represent the program inputs. 

In Figure 1, there are three constructor/destructor pairs for abstraction and 
application; each of them playing a distinct rôle: 
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— ia.t and t,@tz2 are the standard abstraction and application on terms. 

— The application of a type-1 variable X within a statement is called an oracle 
call, written X(e; | e2), where e; is called the input data, ez is called the 
input bound, and e1 Ì e2 is called the input. The corresponding abstraction 
is called a closure, a type-1 map of the shape {x — t°}, where the type-0 
term t may contain free variables. 

— A procedure declaration P(X,x){[var y;] st return x} is an abstraction 
that computes type-2 functions mapping type-1 and type-0 inputs (X and 
X, respectively) to a type-0 output (x). The procedure calls of the shape 
call P(T, t?) are the corresponding applications and take closures as type-1 
inputs and terms as type-0 inputs. 


Type-O var. X%,y,u,v,w... € Vo 

Type-1 var. X, Y, X1, X2,... € Vi 

Variables a,b, a1,a2,... € V = Vo © V1 W V>2 

Operators op, | E€ O 

Expressions e,e1,€2;... i= X | op(€) | X(eı | e2) 

Statements st,st1,... n= skip | x := e | sti; st2 | if(e){stı} else {st2} 
| while(e){st} 

Procedures P,Pi,;p2,--. = P(X,x){[var y;] st return x} 

Terms t,ti,te,... n= a | Aat | t1@te | call P(E, t?) 

Closures €,C1,C2,... H= {x > t} 

Programs prog := t° | declare P in prog | box [a] in prog 


Fig. 1: Syntax of type-2 programs 


For some syntactic element e of the language, let V(e) C V be the set of 
all variables occurring in e. A variable is free if it is not under the scope of an 
abstraction and it is not boxed. A program is closed if it has no free variable. 

For a given procedure declaration p = P(X, X){[var y;] st return x}, define 
the procedure name of p by n(p) £ P. Define also body(P) = st, local(P) = {F7}, 
and param(P) = {X,x}. body(P) is called the body of procedure P. The variables 
in local(P) are called local variables and the variables in param(P) are called 
parameters. Finally, define Proc(t) (and Proc(prog)) to be the set of procedure 
names that are called within the term t (respectively program prog). 

Throughout the paper, we will restrict our study to closed programs in nor- 
mal form. These consist of programs with no free variable that can be written 
as follows box [X,X] in declare p in t, for some term t such that the follow- 
ing well-formedness conditions hold: (i) There are no name clashes. (ii) There 
are no free variables in a given procedure. (iii) Any procedure call has a corre- 
sponding procedure declaration. A closed program in normal form of the shape 
box [X,x] in declare p in t®, for some type-0 term t, will compute a type-2 
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functional. The typing discipline presented in Section 3 will restrict the analysis 
to such programs. 


Operational semantics. Let W = &”* be the set of words over a finite alphabet 
X such that {0,1} C X. The symbol e denotes the empty word. The length 
of a word w is denoted |w|. Given two words w and v in W let v.w denote 
the concatenation of v and w. For a given symbol a € X, let a” be defined 
inductively by a? = e and a”t! = a.a”. Let < be the sub-word relation over W, 
which is defined by v < w, if 3u, u’ € W, w = u.v.u’. 

For a given word w € W and an integer n, let win be the word obtained by 
truncating w to its first min(n, |w|) symbols and then padding with a word of 
the form 10* to obtain a word of size exactly n + 1. For example, 1001jọ = 1, 
1001; = 11, 1001;2 = 101, and 1001;¢ = 1001100. Define Vv, w € W, [f](v, w) = 
Up|w|- Padding ensures that |[] (v, w)| = |w|+1. The syntax of programs enforces 
that oracle calls are always performed on input data padded by the input bound 
and, consequently, oracle calls are always performed on input data whose size 
does not exceed the size of the input bound plus one. 

A total function [op] : W2"(°?) — W is associated with each operator op of 
arity ar(op). Constants may be viewed as operators of arity zero. We define two 
classes of operators called neutral and positive depending on the total function 
they compute. This categorization of operators will be used by our type system 
as the admissible types for operators will depend on their category. 

An operator op, computing the total function [op] : W2"°P) — W, is: 


— neutral if: 
1. either [op] is constant, i.e., ar(op) = 0; 
2. op] : We"P) — {0,1} is a predicate; 
3. or Vo € Wer), Fi < ar(op), [op] (©) < uy; 
— positive if Scop € N s.t.: Vo € W2"P), |fop](@)| < maxi <i<ar(op) |wi] + Cop- 


As neutral operators are always positive, in the sequel, we reserve the name 
positive for those operators that are positive but not neutral. 

In what follows, let f,g,... denote total functions in W — W. A store u 
consists of the disjoint union of a map Ho from Vo to W and a map yp; from 
Yı to total functions in W — W. For i € {0,1}, w is called a type-i store. Let 
dom() be the domain of the store u. Let u|x + w] denote the store p’ satisfying 
w (b) = u(b), for all b Æ x, and p(x) = w. This notation is extended naturally 
to type-1 variables u[X + f] and to sequences of variables [x + w,X < f]. 
Finally, let wg denote the empty store. 

Let | denote the standard big-step call-by-name reduction relation on terms 
defined by: if tı | Aa.t and t{t2/a} | v then t;@t2 | v, where {t2/a} is the stan- 
dard substitution and where v can be a type-0 variable x, a lambda-abstraction 
a.t, a type-1 variable application X@t, or a procedure call call P(E, t0). 

A continuation is a map ¢ from V, to Closures, i.e., 6(X) = {x — t°} for 
some type-1 variable X, some type-0 variable x, and some type-0 term t°. Let 
X +> © with |X| = |c|, be a notation for the continuation mapping each X; € Vı 
to the closure c;. 
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Given a set of procedures a, a store u, and a continuation ġ, we define three 
distinct kinds of judgments: (ø, u, Ø, €) exp w for expressions, (a, 4, Q, St) st 
uw’ for statements, and (ø, u, prog) env w for programs. The big-step opera- 
tional semantics of the language is described in Figure 2. 

A program prog = box [X,x] in declare p in t? computes the second-order 
partial functional [prog] € (W > W)l = Wl! — W, defined by: 


[prog] (f,T) = w iff (Ø, pk — W, X — f], prog) env w. 


In the special case where [prog] is a total function, the program prog is 
said to be terminating (strongly normalizing). We will denote by SN the set of 
terminating programs. For a given set of programs S, let [S] denote the set of 
functions computed by programs in S. Formally, [S] = {[prog] | prog € S}. 


Example 2. Consider the program ce provided in Example 1, where: 
1 ifv=w €e ifvu=e 


0 otherwise, u ifv=a.u 


[lO =ceW, [!=](w,v)= [pred](v) = 


Program ce is in normal form and computes the second-order functional 
F: (W > W) > W > W defined by: Vf € W > W,Vw € W, F(f)(w) = 
Fi\w\(f), where Fn is defined recursively as Fo(f) = eand Frii(f) = (fo 
DIE), fC) = (F © f)\(Fr(f)y4a)))- That is a function that composes 
the input function 2|w| times f while restricting its input to a fixed size |f(1)| 
every other iteration. Indeed, [e]() = € and [[](€,€) = €e = 1. Consequently, 
the oracle bound w in the oracle call X2(z [ w) is bound to value f(1) in the store 
by the statement w := X4 (e |e). 

Observe that the operators £, != and pred are all neutral. An example of 
positive operator can be given by the successor operators defined by [suc;](v) = 
i.v, for i € {0,1}. These operators are positive since |suc,](v)| = |i.v] = |v|+1. 


3 Type system 


Tiers and typing environments. Let W be the type of words in W. Simple 
types over W are defined inductively by T,T’,... :=W | T — T. Let Tu be the set 
of simple types over W. The order of a simple type in Jy is defined inductively by: 
ord(T) = 0, if T = W, and ord(T) = max(1 + ord(T;), ord(T2)), if T = Tı > To. 

Tiers are elements of the totally ordered set (N,~<,0,V,A), where N = 
{0,1,2,...} is the set of natural numbers, < is the standard ordering on integers, 
and V and ^ are the max and min operators over integers. Let < be defined by 
< := < N Æ. We use the symbols k,k’,...,k,,ko,... to denote tier variables. 
For a finite set of tiers, {k1,..., kn}, let VP, k; (Afi, ki, respectively) denote 
kı V... V kn (ki A... A Kn, respectively). A first-order tier is of the shape 
kı >... > kn > k’, with k;,k’ € N. 

A simple typing environment Tų is a finite partial map from V to Jy, which 
assigns simple types to variables. 


376 E. Hainry et al. 


(ø, H, Q, é) — exp w 
(Var) O 
(0, u, $, X) >ezp H(X) (0, u, 6, op(€)) exp [op] C0) A 


(oup e1) exp ¥ (0, p, e2) emp U GX) ={x >t} (0, pk = Mv, u), t?) env w 


(6, m p, X(e1 fe2)) erp w a 


(a) Expressions 


(Skip) (o, H, $, sti) st u (o, LW, $, st2) st u” (Seq) 
(0, H, $, skip) st H (9, H, Q, sti; st2) st u” 


(0, H, Q, e) exp w 


(o, H, Q, x al e) Sst [x < w] 


(Asg) 


(0, u, Q, e) exp w (F, H, Q, stw) > st K Wwe {0, 1} 


(Cond) 
(o, u,b, if(e){sti} else {sto}) Sst p’ 


(a, H, Q, e) exp 0 
(o, H, Q, while(e){st}) st H 


(Who) 


(9, H, Q, e) exp 1 (o, H, Q, st; while(e){st}) st w 
(o, u, $, while(e){st}) se p 
(b) Statements 


(Whi) 


t? t? | x@t? , yt?) env W 
: = (TVar) : : 5 Ne) (OA) 
(0, u, t) env u(x) (o,f, t) >en U(X) (w) 


t° | call P(E,t°) (op, t?) Pav © (o, uZ + WF — FJ, X = T, st) 


st W 
tF (Call) 


(o U {P(X,x){var F; st return z}}, p, t0) —env p’ (z) 


(c) Type-0 terms 


oU , H, prog) env wW 0, H, prog) env W a € dom 
(o U {p}, u, prog) (Dec) (0, u, prog) (u) (Box) 


(o, u, declare p in prog) env wW (o, u, box [a] in prog) env w 


(d) Programs 


Fig. 2: Big step operational semantics 
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A variable typing environment I is a finite partial map from Vo to N, which 
assigns single tiers to type-0 variables. 

An operator typing environment A is a mapping that associates to some 
operator op and some tier k € N a set of admissible first-order tiers A(op)(k) 
of the shape kı > ... + kar(op) > K’. 

A procedure typing environment 2 is a mapping that associates to each pro- 
cedure name P a pair (Ik) consisting of a variable typing environment I’ and 
a triplet of tiers k. Let Q; £ m;(2), i € {1,2}. 

Let dom(I’), dom(Iy), dom(A), and dom(2) denote the sets of variables 
typed by I’ and Ij, the set of operators typed by A, and the set of procedures 
typed by 2, respectively. 

For a procedure typing environment 2, it will be assumed that for every 
P € dom({2), param(P) U local(P) C dom( Qı (P)). 

While operator and procedure typing environments are global, i.e., defined 
for the whole program, variable typing environments are local, i.e., relative to 
the procedure under analysis. In a program typing judgment, the simple typing 
environment can be viewed as the typing environment for the main program. 


Typing judgments and type system. The typing discipline includes two 
distinct kinds of typing judgments: Procedure typing judgments I, A F o : 
(k, kin, Kout) and Term typing judgments Iy, Q, A F prog: T, with k, kin, Kout € 
N, o € Expressions U Statements, and T € Jy. 

The meaning of the procedure typing judgment is that the expression tier 
(or statement tier) is k, the innermost tier is kin, and the outermost tier is 
kout. The innermost (resp. outermost) tier is the tier of the innermost (resp. 
outermost) while loop guard where the expression or statement is located. The 
meaning of term typing judgments is that the program prog is of simple type T 
under the operator typing environment A, the procedure typing environment 2 
and the simple typing environment Iy. 

A program prog (or term t) is of type-i, if Iu, Q, A F prog: T (Ty, 9, A F 
t : T) can be derived for some typing environments and type T s.t. ord(T) = i. 

The type system for the considered programming language is provided in Fig- 
ure 3. A well-typed program is a program that can be given the type (W => W) > 
W —> V, ie., the judgment Iy, 2, A F prog : (W —> VW) —> W — W can be derived 
for the environments Tų, 2, A. Consequently, a well-typed program is a type-i 
program, for some į < 2, computing a functional. 

For a given typing judgment j, a typing derivation Tœ j is a tree whose root 
is the (procedure or term) typing judgment j and whose children are obtained 
by applications of the typing rules of Figure 3. The name 7 will be used alone 
whenever mentioning the root of a typing derivation is not explicitly needed. A 
typing sub-derivation of a typing derivation 7 is a subtree of r. 


Intuitions. We now give some brief intuition to the reader on the type discipline 
in the particular case where exactly two tiers, O and 1, are involved. The type 
system splits program variables, expressions, and statements between the two 
disjoint tiers: 
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I(x) =k 
T, AF x: (k, kin, Kout) 
ki +--+» > kj > k € A(op)(kin) Wi < jel, T, Ab e; : (ki, kin, Kout) 
T, At op(e) : (k, kin, kout) 
T, AF e1: (k, kin, kout) T, AF e2: (kout, kin, kout) k < kin Ak X kout 
T, AF X(e1 | e2) : (k, kin, kout) 
(S-SK) T, AF st : (k, kin, kout) 
T, AF st : (k+1, kin, Kout) 
T, At sti: (k, kin, Kout) I, At sto: (k, kin, Kout) 
T, AF sti; ste : (k, kin, Kout) 
T, AFH x: (ki, Kin, kou) T, AF e: (k2, kin, Kout) ki < kə (S-ASG) 
T, AF x := e : (kı, kin, Kout) 
T, AF e: (k, kin, Kout) T, AF sti : (k, kin, Kout) T, AF sto : (k, kin, Kout) 
I, At if(e){sti} else {sto} : (k, kin, Kout) 
T,AFe:(k,kin,k) T,AFst:(k,k,k) 1<k 
T, At while(e){st} : (k, kin, 0) 
T, AF e: (k, kin, Kout) T, AF st: (k,k, kout) 1 <k kou 
T, At while(e){st} : (k, kin, Kout) 


(E-VAR) 


(E-OP) 


(E-OR) 


T, AF skip : (0, kin, Kout) (S-SUB) 


(S-SEQ) 


(S-CND) 


(S-WINIT) 


(S-WH) 


(a) Tier-based typing rules for expressions and statements 


Iu, Q, AFX:W>W M, Q, AFZ,y,x:W 
Iu, 2, At P(X, x){[var 7;] st return x}: (WOW) > W—>W 
Ty, Q, AFP, IH... }: WSW SWW G,2,AFrt: Wow M,R AFT: 
Iu, NQ, AF call P(T, t): W 
Iy(a) =T (P-VAR) Ty {a :T}, QRQ, AF t: T (P-ABS) 
Iw, Q, AFa:T Iu, 2, AF àat:T>T 
M, R, AF tı:T>T M, Q, AFto:T 
Iu, Q, AF t1@to : T 
Iu, Q, AH prog:T T, AF body(n(p)) : (k, kin, Kout) Q(a(p)) = (T, (k, kin, Kout )) 
Iu, Q2, AF declare p in prog : T 
Ty {x :W},Q, AFt:W 
I, Q, AF {x> t}:Wow 
Ty J {a : T}, 2, A F prog: T 
Iu, Q, A F box [a] in prog: T —> T 


(P-APP) 


(P-DEC) 


(P-CLOS) 


(P-BOX) 


(b) Simple typing rules for procedures, terms, closures and programs 


Fig. 3: Tier-based type system 
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— 0 corresponds to a program component whose execution may result in a 
memory increase (in size) and that cannot control the program flow. 

— 1 corresponds to a program component whose execution cannot result in a 
memory increase and that may control the program flow. 


The type system of Figure 3 is composed of two sub-systems. The typing rules 
provided in Figure 3b enforce that terms follow a standard simply-typed disci- 
pline. The typing rules of Figure 3a will implement a standard non-interference 
type discipline 4 la Volpano et al. [30] on the expression (and statement) tier, 
preventing data flows from tier O to tier 1. The transition between the two sub- 
type-systems is performed in the rule (P-DEC) of Figure 3b that checks that 
the procedure body follows the tier-based type discipline once and for all in a 
procedure declaration. 

In Figure 3a, as tier 1 data cannot grow (but can decrease) and are the only 
data driving the program flow, the number of distinct memory configurations on 
such data for a terminating procedure is polynomial in the size of the program 
input (i.e., number of symbols). Hence a typable and terminating procedure has 
a polynomial step count (in the sense of [11]), i.e., on any input, the execution 
time of a procedure is bounded by a first-order polynomial in the size of their 
input and the maximal size of any answer returned by an oracle call. 

The innermost tier is used to implement a declassification mechanism on 
operators improving the type-system’s expressive power: an operator may be 
typed differently depending on its calling context (the statement where it is 
applied). This is the reason why more than 2 tiers can be used in general. 

The outermost tier is used to ensure that oracles are only called on inputs of 
bounded size. This latter restriction on oracle calls enforces a semantic restric- 
tion, called finite lookahead revision, introduced in [22,20] and requiring that, 
during each computation, the number of calls performed by the oracle on an 
input of increasing size is bounded by a constant. 

Let MPT be the class of second-order functionals computable by an oracle 
Turing machine with a polynomial step count and a finite lookahead revision. 
[20] shows that BFF = A(MPT)2. The type system of Figure 3 ensures that each 
terminating procedure of a well-typed program computes a function in MPT. 


Safe programs. In this section, we restrict the set of admissible operators to 
prevent programs admitting exponential growth from being typable. A program 
satisfying such a restriction will be called safe. 

An operator typing environment A is safe if for each op € dom(A) such 
that ar(op) > 0, op is neutral or positive, [op] is a polynomial time computable 
function, and for each k € N, and for each kı > ... kar(op) > k’ € A(op)(k), 
the two conditions below hold: 


L K KAP, = vk; < k, 
2. if op is a positive operator then k’ ~ k. 


Example 3. Consider the operators !=, pred, and suc; discussed in Example 1 
and an operator typing environment A that is safe and such that !=, pred, suc; 
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€ dom(A). We can set A(!=)(1) = {1 > 1 > 1}U{k > k’ + 0|k,k’ < 1}, as 
!= is neutral. However 1 > 0 > 1 ¢ A(!=)(1) as it breaks Condition 1) above 
(ie, 11/0). 

We can also set A(pred)(2) = {2 > k | k < 2}U{1 > k | k x 1}U{0— 0}. 
We also have A(suc;)(1) = {1 —> 0,0 > 0}. 1 > 1 ¢ A(suc;)(1) as suc; is a 
positive operator and, due to Condition 2) above, the operator output tier has 
to be strictly smaller than 1. 


Given a simple typing environment Jy, a procedure typing environment 2, 
and a safe operator typing environment A, a program prog is a safe program if 
it is well-typed for these environments, i.e., Iy, 2, A H prog: (WW) ~W—>W 
can be derived. Let SAFE be the set of safe programs. 


Example 4. We consider the program ce of Example 1. We define the operator 
typing environment A byA(!=)(2) = {1 > 1 > 1}, A(prea)(1) £ {1 > 1}, 
and A(e)(2) = {0,1}. As the three operators !=, pred, and £ are neutral, the 
environment A is safe. We define the simple typing environment Iy by Iy(w) = 
W, A(v) = W, A(z) = w, Iųu(X1) = W — W, and Ių(X2) = W —> W. We define the 
variable typing environment I" by '(w) = 1, A(v) = 1, A(z) = 0. Finally, define 
the procedure typing environment 2 by Q(KS) = (I, (1,2,1)). Using the rules 
of Figure 3, the following typing judgement can be derived Iy, Q, A F ce: 
(W —> W) > W > VW. Hence ce € SAFE. 


4 Characterizations of the class of Basic Feasible 
Functionals 


Safe and terminating programs. In this section, we show that typable (safe) 
and terminating programs capture exactly the class of basic feasible functionals. 

For a given set of functionals S, let Sg be the restriction of S to second-order 
functionals and let A(S) be the set of functions computed by closed simply-typed 
lambda terms using functions in S as constants. Formally, let A(S) be the set 
of functions denoted by the set of closed simply-typed lambda terms generated 
inductively as follows: 


— for each type 7, variables x7,y7,... are terms, 

— each functional F € S of type T, F” is a term, 

— for any term t” and variable £, AxT.t7™ is a term of type T> 7’, 
— for any terms t™*” and s7, t7~7's™ is a term of type 7’. 


Each lambda term of type 7 represents a function of type 7 and terms are 
considered up to 8 and 7 equivalences. A(S)z is called the second-order simply- 
typed lambda closure of S. 

Given a simple typing environment lų, a safe operator typing environment A, 
and a triplet of tiers (k, kin, Kout), a procedure p = P(X, ¥){[var y;] st return x} 
is safe if it is well-typed for these environments, i.e Tų, A F st : (k, kin, Kout) can 
be derived using the rules of Figure 3. P computes a second-order partial func- 
tional [P] € (W > W)*l = WI — W, defined by [P](f, w) = w iff ({p}, ugk C 
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w,X + f],call P(X,X)) +eny w (see Figure 2). If [P] is a total function, then 
the procedure terminates. Let ST be the set of safe and terminating procedures. 

The characterization of BFF in terms of safe and terminating procedures 
discussed in the introduction can be stated as follows. 


Theorem 1 ([16]). A([ST])2 = BFF. 


We are now ready to state a first characterization of BFF in terms of safe 
(SAFE) and terminating (SN) programs, showing that the external simply-typed 
lambda-closure of Theorem 1 can be removed. 


Theorem 2. [SN N SAFE], = BFF. 


We want to highlight that the characterization of Theorem 2 is not just 
“moving” the simply-typed lambda-closure inside the programming language by 
adding a construct for lambda-abstraction. Indeed, the soundness of this result 
crucially depends on some choices on the language design that we have enforced: 
the restricted ability to compose oracles using closures, and the read-only mode 
of oracles inside a procedure call, implemented through continuations. 


Safe and terminating rank-r programs. More importantly, we also show 
that this characterization is still valid in the absence of lambda-abstraction. 

A safe program prog w.r.t. to a typing derivation m is a rank-r program, 
if for any typing sub-derivation 7’ © Iu, Q, A F Aat : T of m, it holds that 
ord(T) < r. In other words, all lambda-abstractions are at most type-k terms, 
for k < r. In particular, a rank-(r +1) program, for r > 1, has variables that are 
at most type-r variables. Rank-0 and rank-1 programs may have both type-0 and 
type-1 variables as these variables can still be captured by closures, procedure 
declarations, or boxes. 

For a given set S of well-typed programs, let S» be the subset of rank-r 
programs in S, i.e., Sp = {prog € S | prog is a rank-r program}. For example, 
SAFE,. denotes the set of safe rank-r programs. It trivially holds that SAFE = 
UrenSAFE,.. The rank is clearly not uniquely determined for a given program. In 
particular, any rank-r program is also a rank-(r +1) program. Consequently, for 
any set S of well-typed programs and any 2 < j, it trivially holds that S; C Sj. 


Example 5. Program ce of Example 1 is in SAFEp. Indeed, ce € SAFE, cf. Ex- 
ample 4, and ce is a rank-0 program, as it does not use any lambda-abstraction. 


Now we revisit the syntax and semantics of safe rank-0 programs in SAFEo. 
The programs are generated by the syntax of Figure 1, where the terms are all 
of type-0 and redefined by: 

Terms t0, t9, t8,... cx | XQt? | call Pie, t?) 


Moreover, there is no longer a need for call-by-name reduction in the big step 
operational semantics. As a consequence, the rules (TVar), (OA), and (Call) of 
Figure 2c can be replaced by the following simplified rules: 


(o, u, t?) env W 


(TVar®) 


(OA°) 
(T, H, X) —>env H(X) (0, u, X@Qt?) env H(X) (w) 
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(o, u, t?) env © (0, |X CH T, + €, X > T, st) Soe pl’ 


(Call?) 


(o U {P(X,x){var y; st return z}}, u, call P(T, t?)) env u’ (z) 


We are now ready to characterize BFF in terms of safe and terminating rank-0 
programs. 


Theorem 3. [SN N SAFEo] = BFF. 


Hence the characterization of Theorem 2 is just a conservative extension 
of Theorem 3: lambda-abstractions, viewed as a construct of the programming 
language, allow for more expressive power in the programming discipline but do 
not capture more functions. As lambda-abstraction is fully removed from the 
programming language, this also shows that the simply-typed lambda closure 
of Theorem 1 can be simulated through restricted oracle compositions in our 
programming language (using closures and continuations). Moreover, the full 
hierarchy of safe and terminating rank-r programs collapses. 


Corollary 1. Vr € N, [SN N SAFE, ] = BFF. 


Tractable type inference. Let the size |prog| of the program prog be the 
total number of symbols in prog. Type inference is tractable for safe programs. 


Theorem 4. Given a program prog and a safe operator typing environment A, 


— deciding whether prog € SAFE holds is a P-complete problem. 
— deciding whether prog € SAFE holds can be done in time O(|prog|?). 


Tractability of type inference is a nice property of the type system. Showing 
prog € SN is at least as hard as showing the termination of a first-order program, 
hence J7$-hard in the arithmetical hierarchy. Therefore, the characterizations of 
Theorems 1, 2, and 3 are unlikely to be decidable, let alone tractable. 


5 A completeness-preserving termination criterion 


In this section, we show that the undecidable termination assumption (SN) can 
be replaced with a criterion, called SCPg, adapted from the Size-Change Termi- 
nation (SCT) techniques of [23], that is decidable in polynomial time and that 
preserves the completeness of the characterizations. We first show that studying 
safe program termination can be reduced to the study of procedure termination. 


Lemma 1. For a given prog € SAFE, if there exists P € Proc(prog) that 
terminates, then prog is terminating. 


Hence, ensuring the termination of any procedure of a given safe program is 
a sufficient condition for the program to terminate. The converse trivially does 
not hold as, for example, a procedure with an infinite loop may be declared and 
not be called within a given safe program. 
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Size-Change Termination. SCT relies on the fact that if all infinite execu- 
tions imply an infinite descent in a well-founded order, then no infinite execu- 
tion exists. To apply this fact for proving termination, [23] defines Size-Change 
Graphs (SCGs) that exhibit decreases in the parameters of function calls and 
then studies the infinite paths in all possible infinite sequences of calls. If all 
those infinite sequences have at least one strictly decreasing path, then the pro- 
gram must terminate for all inputs. While SCT is PSpace-complete, [7] develops 
a more effective technique, called SCP, that is in P. The SCP technique is strong 
enough for our use case. In the literature, SCT and SCP are applied to pure func- 
tional languages. As we shall enforce termination of procedures, we will follow 
the approach of [1] adapting SCT to imperative programs. 

First, we distinguish two kinds of operators that will enforce some (strict) 
decrease. An operator op is (strictly) decreasing in i, for i < ar(op), if Vw € W, 
T #& |fop](w)| < |wil (\[op](@)| < lwil, respectively) and [op](@) = e. For 
operators of arity greater than 2, i may not be unique but will be fixed for each 
operator in what follows. 

For simplicity, we will assume that assignments of the considered programs 
are flattened, that is for any assignment x := e, either e = y € Vo, or e = op(3), 
with X € Vo, or e = X(y | z), with y,z € Vo and X € Vj. Notice that, by using 
extra type-0 variables, any program can be easily transformed into a program 
with flattened assignments, while preserving semantics and safety properties. 

For each assignment of a procedure P, we design a bipartite graph, called a 
SCG, whose nodes are type-0 variables in (local(P) Uparam(P))M Vo and arrows 
indicates decreases or stagnation from the old variable to the new. If a variable 
may increase, then the new variable will not have an in-arrow. 

The bipartite graph is generated for any flattened assignment x := e by: 


— for each y, y Æ x, we draw arrows from left y to right y. 
— Ife = y, we draw an arrow from left y to right x. 
— If e = op(x), with op a: 
e decreasing operator in i, we draw an arrow from x; to x. 
e strictly decreasing operator in 7, we draw a “down-arrow” from x; to x. 


In all other cases (neutral and non-decreasing operators, positive operators, or- 
acle calls), we do not draw arrows. We will name this SCG graph G(x := e). 
Finally, for a set V of variables, GY will denote the SCG obtained as a subgraph 
of G restricted to the variables of V. 


Example 6. Here are the SCGs associated to simple assignments of a procedure 
with three type-0 variables x, y, z using a strictly decreasing operator in 1 (pred), 
a decreasing operator (min) in 1, a positive operator (+1), and an oracle call. 


y := pred(x)|y := min(x,y)| x := x + 1 |x := X(y [ z) 


X—> X xXx—— xX X x x x 
y y y7 y— yy 


Z— Zz Z — zZ Z—Z Z— > Z 
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The language L(st) of (potentially infinite) sequences of SCG associated 
with the statement st is defined inductively as an oo-regular expression. 


L(x := e) ê G(x := e) L(if(e){stı}else{st2}) = L(st1) + L(st2) 
L(st1; sta)  L(st1).L(st2) L(while(e){st1}) = L(st1)”® 


where, following the standard terminology for automata [28], £(st)® is defined 
by L(st)® £ L(st)* +L(st)”. In the composition of SCGs, we are interested in 
paths that advance through the whole concatenated graph. Such a path implies 
that the final value of the destination variable is of size at most equal to the 
initial value of the source variable. If the path contains a down-arrow, then the 
size of the corresponding words decreases strictly. 

Following the terminology of [7], a (potentially infinite) sequence of SCGs 
has a down-thread if the associated concatenated graph contains a path spanning 
every SCG in the sequence and this path includes a down-arrow. 


Example 7. Consider the statement st = y := pred(x); y := min(x, y); x := x+ 
1; x := X(y [| z), whose SCGs are described in Example 6. The concatenated 
graph obtained from the (unique and finite) sequence of SCGs in L(st) is pro- 
vided below. It contains a down-thread (the path from x to y). 


X— > xX——>x x x 
y y >V y >y 
Zz Zz >Z Zz >Z 


A (potentially infinite) sequence of SCGs is fan-in free if the in-degree of nodes 
is at most 1. By construction, all the considered SCGs are fan-in free. 


Safety and Polynomial Size-Change. Unfortunately, programs with down- 
threads can loop infinitely in the € state. To prevent this, we restrict the analysis 
to cases where while loops explicitly break out when the decreasing variable 
reaches €, that is procedures with while loops of the shape while(x != e){st}. 

For a given set V of variables, we will say that st satisfies the simple graph 
property for V if for any while loop while(x != ¢){st’} in st all sequences 
of SCGs GYGY ... such that GiG2... € L(st’) are fan-in free and contain a 
down-thread from x to x. A procedure is in SCPg if its statement satisfies the 
simple graph property for the set of variables in while guards. A program is in 
SCPs if all its procedures are in SCPy. 


Example 8. The program ce of Example 1 is in SCPs. The language £(body(KS)) 
corresponding to the body of procedure KS is equal to G1.G2.(G3.G4)~, where 
the SCGs G; are defined as follows: 
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Gy G2 G3 G4 
w:=Xi(efe)} z:=e |v := pred(v)|/z := Xo(z | w) 
v— Vv v— Vv v—ev v— Vv 
wW W w—w w—>w w— ow 
z —>z z z z —>z z pA 


First, the procedure body satisfies the syntactic restrictions on programs (flat- 
tened expressions and restricted while guards). Moreover, the procedure body 
satisfies the simple graph property for {v} as there is always a down-thread on 
the path from v to v in (G3.G4)™ and any corresponding sequence is fan-in free. 
Consequently, the program ce is in SCPg N SAFE9, by Example 5. 


SCPg preserves completeness on safe programs for BFF. 
Theorem 5. [SCPs NSAFEo] = [SCPs N SAFE] = BFF. 


While in general deciding if a program satisfies the size-change principle is 
PSpace-complete, SCPs can be checked in quadratic time and, consequently, we 
obtain the following results. 


Theorem 6. Given a program prog and a safe operator typing environment, 


— deciding whether prog € SCPs N SAFE is a P-complete problem. 
— deciding whether prog € SCPs N SAFEo can be done in time O(|prog|*). 


6 Conclusion and future work 


We have presented a typing discipline and a termination criterion for a program- 
ming language that is sound and complete for the class of second-order polytime 
computable functionals, BFF. This characterization has three main advantages: 
1) it is based on a natural higher-order programming language with imperative 
procedures; 2) it is pure as it does not rely on an extra semantic requirements 
(such as taking the lambda closure); 3) belonging to the set SCPg N SAFE can 
be decided in polynomial time. The benefits of tractability is that our method 
can be automated. However the expressive power of the captured programs is 
restricted. This drawback is the price to pay for tractability and we claim that 
the full SCT method, known to be PSpace-complete, could be adapted in a more 
general way to our programming language in order to capture more programs at 
the price of a worse complexity. Moreover, any termination criterion based on 
the absence of infinite data flows with respect to some well-founded order could 
work and preserve completeness of our characterizations. Another issue of inter- 
est is to study whether the presented approach could be extended to characterize 
BFF in a purely functional language. We leave these open issues as future work. 
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Abstract. By abstracting over well-known properties of De Bruijn’s 
representation with nameless dummies, we design a new theory of syntax 
with variable binding and capture-avoiding substitution. We propose it 
as a simpler alternative to Fiore, Plotkin, and Turi’s approach, with 
which we establish a strong formal link. We also show that our theory 
easily incorporates simple types and equations between terms. 
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1 Introduction 


There is a standard notion of signature for syntax with variable binding called 
binding signature. Such a signature consists of a set of operation symbols, to- 
gether with, for each of them, a binding arity. A binding arity is a list (n1, ..., np) 
of natural numbers, whose meaning is that the considered operation has p ar- 
guments, with n; variables bound in the ith argument, for all i € {1,...,p}. 


Example 1. 


— A-abstraction has binding arity (1) (one argument, with one bound variable); 

— application has binding arity (0, 0) (two arguments, with no bound variable); 

— unary explicit substitution e[x }> f] has binding arity (1,0) (two arguments, 
with one variable bound in the first and none in the second). 


There are several possible representations of the syntax specified by a bind- 
ing signature, most of them benefiting from good semantical understanding. 
The traditional, nominal representation has been nicely framed within nominal 
sets [12]. The representation by De Bruijn levels, a.k.a. nested datatypes [5,1], 
is well-understood thanks to presheaf models [11], as is higher-order abstract 
syntax [19]. However, one of the oldest representations, using De Bruijn’s idea 
of modelling variables with nameless dummies, does not benefit from any se- 
mantical framework. This may be related to the fact that it is often perceived 
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as low-level and error-prone [4]. Our goal in this paper is to equip De Bruijn’s 
representation with a suitable semantical framework. 

Let us start by stressing some of the features of this representation, for some 
fixed binding signature S. 


Inductive definition The set DBs of terms is the least fixed point of a suitable 
endofunctor on sets, derived from S. In particular, there is a variables map 
v: N — DBs and, for each operation o in S with binding arity (m,...,np), 
a map Opps: DB — DBs. 

Substitution DBs is equipped with a (parallel) substitution map 


-[-]: DBs x DB? > DBs, 


which satisfies three standard substitution lemmas (associativity, left and 
right unitality). 

Furthermore, substitution is compatible with operations, in the sense that 
it satisfies the following crucial binding conditions: for each operation o 
with binding arity (m,...,Mp), €1,-.-,@p € DBs, and f: N > DBs, 


ongs (er... ep) [f] = opps (ei lf” fl. -epl fI), (1) 


where {} is a unary operation defined on DBY by 


(ft. (0) = v(0) 
(to)(n+1) =o(n)[p > v(p+ 1)]. 


In the present work, by abstracting over these properties, we propose a simple 
theory for syntax with variable binding, which we summarise as follows. 


De Bruijn monad (§2) A De Bruijn monad consists of a set X, equipped with 
variables and substitution maps, say v: N > X and -[-]: Xx X > x, 
satisfying the abstract counterparts of the above substitution lemmas. 

De Bruijn S-algebra A De Bruijn S-algebra” is a De Bruijn monad (X, —[-], v) 
equipped with operations from the signature S, satisfying the abstract coun- 
terpart of the above binding condition. 

The term De Bruijn S-algebra We define the set DBs by an abstract coun- 
terpart of the above inductive definition. The substitution map —[-]: DBs x 
DBY — DBs is then the unique map satisfying left unitality and the binding 
conditions. Furthermore, it satisfies both other substitution lemmas, hence 
upgrades DBs into a De Bruijn S-algebra. 

Category of De Bruijn S-algebras (§3) De Bruijn S-algebras are the ob- 
jects of a category S- DBAlg, whose morphisms are all maps between under- 
lying sets that commute with variables, substitution, and operations. 

Initial-algebra Semantics Finally, DBs is initial in S- DBAlg, which provides 
a relevant induction/recursion principle. 


5 There is a slightly different notion of De Bruijn algebra in the literature, see the 
related work section. 
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We thus propose a theory for syntax with substitution, which is an alterna- 
tive to the mainstream initial-algebra semantics of Fiore et al.’s [11]. We have 
experienced the simplicity of our theory by formalising it not only in Coq, but 
also in HOL Light, which does not support dependent types. 

Our theory is similar to the mainstream theory [11], in the following aspects. 


— Our and their basic definitions of syntax can be recast using relative monads: 
De Bruijn monads are monads relative to the functor 1 — Set selecting N, 
while Fiore et al.’s substitution monoids are monads relative to the full and 
faithful embedding into Set of the category of finite ordinals and arbitrary 
maps between them. 

— We find (Theorem 3, §4) that both approaches, in their own ways, include 
exotic models, and that when freed from them, our category of De Bruijn 
S-algebras and their category of S-models become equivalent. In this sense, 
both semantics differ only marginally. 

— In §5, we show how De Bruijn S-algebras can be defined by resorting to (a 
slight generalisation [6] of) pointed strong endofunctors, in the spirit of [11]. 

— Their framework accomodates simple types and equations [7]; we also provide 
such extensions of our theory in §6 and 87. 


Related work 


Abstract frameworks for variable binding One of the mainstream such frame- 
works is [11]. This has been our main reference and in §5 we establish a strong 
link between this framework and our proposal. This link could probably be ex- 
tended to variants such as [17,18,3]. 

In a more recent work, Allais et al. [1] introduce a universe of syntaxes, 
which essentially corresponds to a simply-typed version of binding signatures. 
Their framework is designed to facilitate the definition of so-called traversals, 
i.e., functions defined by structural induction, “traversing” their argument. We 
leave for future work the task of adapting our approach to such traversals. 

In a similar spirit, let us mention the recent work of Gheri and Popescu [13], 
which presents a theory of syntax with binding, mechanised in Isabelle/HOL. 
Potential links with our approach remain unclear to us at the time of writing. 

Finally, the categories of well-behaved objects obtained in §4 are technically 
very close to nominal sets [12]: finite supports appear in the action-based presen- 
tation of nominal sets, while pullback preservation appears in their sheaf-based 
presentation. And indeed, any well-behaved presheaf yields a nominal set, and so 
does any well-behaved De Bruijn monad. However, these links are not entirely 
satisfactory, because they do not account for substitution. The reason is that 
the only categorical theory of substitution that we know of for nominal sets, by 
Power [24], is operadic rather than monadic, so we do not immediately see how 
to extend the correspondence. 


Proof assistant libraries Allais et al. [1] mechanise their approach in Agda. In 
the same spirit, the presheaf-based approach was recently formalised [9]. 
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De Bruijn representation benefits from well-developed proof assistant li- 
braries, in particular Autosubst [26,27]. They introduce a notion of De Bruijn 
algebra, and design a sound and complete decision procedure for their equational 
theory, which they furthermore implement for Coq. 

Our notion of De Bruijn algebra differs from theirs, notably in that their 
substitutions are finitely generated. Our approach makes the theoretical devel- 
opment significantly simpler, but of course finite generation is crucial for their 
main purpose, namely decidability. 


General notation 


We denote by A* = Jinen A” the set of finite sequences of elements of A, for 
any set A. In any category C, we tend to write [C, D] for the hom-set C(C, D) 
between any two objects C and D. Finally, for any endofunctor F, F - alg denotes 
the usual category of F-algebras and morphisms between them. 


2 De Bruijn monads 


In this section, we start by introducing De Bruijn monads. Then, we define lifting 
of assignments, the binding conditions, and the models of a binding signature S$ 
in De Bruijn monads, De Bruijn S-algebras. Finally, we construct the term De 
Bruijn S-algebra. 


2.1 Definition of De Bruijn monads 
We start by fixing some terminology and notation, and then give the definition. 


Definition 1. Given a set X, an X-assignment is a map N > X. We some- 
times merely use “assignment” when X is clear from context. 


Notation 21. Consider any map s: X x YN > Z. 


— For allx € X andg:N-Y, we write x[g]s for s(x, g), or even x[g] when s 
is clear from context. 
— Furthermore, s gives rise to the map 


XN x YN zm 


(f.g) ont s(f(n), 8). 
We use similar notation for this map, i.e., f[g](n) := f(n)[g]s- 
Definition 2. A De Bruijn monad is a set X, equipped with 


— a substitution map s: X x XN — X, which takes an element x € X and an 
assignment f: N — X, and returns an element x[f], and 
— a variables map v: N > X, 


satisfying, for allx € X, and f,g: N > X: 


Variable binding and substitution for (nameless) dummies 393 


— associativity: x[f|[g] =x[fle]], 
— left unitality: v(n)[f] = f(n), and 
— right unitality: x[v] =x. 


Example 2. The set N itself is clearly a De Bruijn monad, with variables given 
by the identity and substitution Nx N — N given by evaluation. This is in fact 
the initial De Bruijn monad, as should be clear from the development below. 


Example 3. The set A := uX.N+X+X? of A-terms forms a De Bruijn monad. The 
variables map N —> A is the obvious one, while the substitution map Ax AN > A 
is less obvious but standard. In Example 5, as an application of Theorem 2, we 
will characterise this De Bruijn monad by a universal property. 


2.2 Lifting assignments 


Given a De Bruijn monad M, we define an operation called lifting on its set of 
assignments N — M. It is convenient to stress that only part of the structure of 
De Bruijn monad is needed for this definition. 


Definition 3. Consider any set M, equipped with maps s: M x M > M and 
v: N—> M. For any assignment o: N > M, we define the assignment ff} 7: N —> 
M by (ff o)(0) = v(0) 

(fo)(nt+1)=o(n) I(T], 


where T: N— X maps any n to v(n+1). 


Remark 1. Both ff and T depend on M and (part of) (s,v). Here, and in other 
similar situations below, we abuse notation and omit such dependencies for read- 
ability. 


Of course we may iterate lifting: 


Definition 4. Let fP A =A, and M! A =f (R! A). 


2.3 Binding arities and binding conditions 


Our treatment of binding arities reflects the separation between the first-order 
part of the arity, namely its length, which concerns the syntax, and the binding 
information, namely the binding numbers, which concerns the compatibility with 
substitution. 


Definition 5. 


— A first-order arity is a natural number. 


— A binding arity is a sequence (nı,..., np) of natural numbers, i.e., an 
element of N*. 
— The first-order arity |a| associated with a binding arity a = (n1,...,np) is 


its length p. 


Let us now axiomatise what we call an operation of a given binding arity. 
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Definition 6. Let a = (m,...,np) be any binding arity, M be any set, s: Mx 
M > M, andv: N — M be any maps. An operation of binding arity a is a 
map o: MP — M satisfying the following a-binding condition w.r.t. (s,v): 


Vo: N—> M,x1,....X%p EM, o(x,...,xp)[o] =o [TN o],..-.xp [TN o]). 


(2) 


Remark 2. Let us emphasise the dependency of this definition on v and s — which 
is hidden in the notations for substitution and lifting. 


2.4 Binding signatures and algebras 


In this section, we recall the standard notions of first-order (resp. binding) sig- 
natures, and adapt the definition of algebras to our De Bruijn context. Let us 
first briefly recall the former. 


Definition 7. A first-order signature consists of a set O of operations, 
equipped with an arity map ar: O > N. 


Definition 8. For any first-order signature S := (O, ar), an S-algebra is a set 
X, together with, for each operation o € O, a map ox: X ®©) > X. 


Let us now generalise this to binding signatures. 
Definition 9. 


— A binding signature [23] consists of a set O of operations, equipped with 
an arity map ar: O > N*. Intuitively, the arity of an operation specifies the 
number of bound variables in each argument. 

— The first-order signature |S| associated with a binding signature S := (O, ar) 
is |S| := (O, |ar|), where |ar|: O > N maps any o € O to |ar(o)|. 


Example 4. The binding signature for A-calculus has two operations lam and 
app, of respective arities (1) and (0,0). The associated first-order signature has 
two operations lam and app, of respective arities 1 and 2. 


Let us now present the notion of De Bruijn S-algebra: 


Definition 10. For any binding signature S := (O, ar), a De Bruijn S-algebra 
is a De Bruijn monad (X,s,v) equipped with an operation ox of binding arity 
ar(o), for allo E€ O. 


In order to state our characterisation of the term model, we associate to any 
binding signature an endofunctor on sets, as follows. 


Definition 11. The endofunctor Xs associated to a binding signature (O, ar) is 
defined by Xs (X) = doco Xlear(o)| 


Remark 3. The induced endofunctor just depends on the underlying first-order 
signature. 
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Remark 4. As is well known, for any binding signature, the initial (N + Xs)- 
algebra has as carrier the least fixed point wA.N + Ès(A). 


The following theorem defines the term model of a binding signature. 


Theorem 1. Consider any binding signature S = (O, ar), and let DBs denote 
the initial (IN+Xgs)-algebra, with structure maps v: N —> DBs anda: Xs(DBs) > 
DBs. Then, 


(i) There exists a unique map s: DBs x DBs“ > DBs such that 
— for alln €N and f : N —> DBs, s(v(n), f) = f(n), and 
— for allo € O, the map opp, satisfies the ar(o)-binding condition w.r.t. 
(s,v). 
(ii) This map turns (DBs, v,s,a) into a De Bruijn S-algebra. 


Proof. We have proved the result in both HOL Light [22] and Coq [20]. 


Remark 5. Point (i) may be viewed as an abstract form of recursive definition 
for substitution in the term model. The theorem thus allows us to construct 
the term model of a signature in two steps: first the underlying set, constructed 
as the inductive datatype uZ.N + Xs(Z), and then substitution, defined by the 
binding conditions viewed as recursive equations. 


Remark 6. We hope that our mechanisations [22,20] may be useful for future 
developments based on De Bruijn representation, to automatically generate the 
correct syntax and substitution from a suitable signature. This will have the 
advantage of reducing what needs to be read to make sure that the development 
actually does what is claimed. Normally, this part includes the whole definition 
of syntax and substitution, while our framework reduces it to only the binding 
signature. Our mechanisations may in fact be used for this purpose on existing 
developments, to certify the syntax and substitution, leaving only the binding 
signature for the reader to check. 


Example 5. For the binding signature of A-calculus (Example 4), the carrier of 
the initial model is uZ.N + Z + Z?, and substitution is defined inductively by: 


v(n)[o] = a(n) 
A(e)[o] = A(elN o]) 
(e1 e2)[o] = eilo] e2[o]. 


3 Initial-algebra semantics of binding signatures in De 
Bruijn monads 


In this section, for any binding signature S, we organise De Bruijn S-algebras 
into a category, S- DBAlg, and prove that the term De Bruijn S-algebra is initial 
therein. 
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3.1 A category of De Bruijn monads 
Let us start by organising general De Bruijn monads into a category: 


Definition 12. A morphism (X,s,v) > (Y,t,w) between De Bruijn monads is 
a set-map f: X — Y commuting with substitution and variables, in the sense 
that for allx € X anda: N —> X we have f(x[o]) = f(x) [fog] and fov=w. 


Remark 7. More explicitly, the first axiom says: f(s(x,o)) =t(f(x), foo). 


Notation 31. De Bruijn monads and morphisms between them form a category, 
which we denote by DBMnd. 


Let us conclude this subsection by briefly mentioning a categorical point of 
view on the category of De Bruijn monads for the categorically-minded reader, 
in terms of relative monads [2]. 


Proposition 1. The category DBMnd is canonically isomorphic to the category 
of monads relative to the functor 1 — Set picking N. 


Remark 8. Canonicity here means that the isomorphism lies over the canonical 
isomorphism [1, Set] = Set. 


According to the theory of [2], this yields: 


Corollary 1. The tensor product X QY := XXY induces a skew monoidal [28] 
structure on Set, and DBMnd is precisely the category of monoids therein. 


Proof. To see this, let us observe that, by viewing any set X, in particular N, 
as a functor 1 — Set, one may compute the left Kan extension of X along N, 
which is a functor Lany(X): Set — Set. By the standard formula for left Kan 
extensions [21], we have Lany(X)(Y) = X x YN = X @Y. The result thus follows 
by [2, Theorems 4 and 5]. 


3.2 Categories of De Bruijn algebras 


In this section, for any binding signature S, we organise De Bruijn S-algebras 
into a category S- DBAlg. 
Let us start by recalling the category of S-algebras for a first-order S: 


Definition 13. For any first-order signature S, a morphism X — Y of S- 
algebras is a map between underlying sets commuting with operations, in the 
sense that for each o € O, letting p := ar(o), we have f(ox(x1,...,Xp)) = 


oy (f(x1),---,f(xp))- 
We denote by S-alg the category of S-algebras and morphisms between them. 


We now exploit this to define De Bruijn S-algebras: 


Definition 14. For any binding signature S, a morphism of De Bruijn S-algebras 
is a map f: X — Y between underlying sets, which is a morphism both of De 
Bruijn monads and of |S|-algebras. We denote by S- DBAlg the category of De 
Bruin S-algebras and morphisms between them. 
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Theorem 2. Consider any binding signature S = (O, ar), and let DBs denote 
the initial (IN+Xs)-algebra. Then, the De Bruijn S-algebra structure of Theorem 1 
on DBs makes it initial in S- DBAlg. 


Proof. We have proved the result in both HOL Light [22] and Coq [20]. 


4 Relation to presheaf-based models 


The classical initial-algebra semantics introduced in [11] associates in particular 
to each binding signature S a category, say ®s -Mon of models, while we have 
proposed in §3 an alternative category of models S$- DBAlg. In this section, we 
are interested in comparing both categories of models. 

In fact, we find that both include exotic models, in the sense that we do 
not see any loss in ruling them out. And when we do so, we obtain equivalent 
categories. 


4.1 Trimming down presheaf-based models 


First of all, in this subsection, let us recall the mainstream approach we want to 
relate to, and exclude some exotic objects from it. 


Presheaf-based models We start by recalling the presheaf-based approach. 
The ambient category is the category of functors [F, Set], where F denotes the 
category of finite ordinals, and all maps between them. As is well-known, this 
category is equivalent to the category [Set, Set]; of finitary endofunctors on 
sets, and inherits from it a substitution monoidal structure. By construction, 
monoids for this monoidal structure are equivalent to finitary monads on sets. 

The idea is then to interpret binding signatures S as endofunctors ®s on 
[F, Set], and to define models as monoids equipped with ®s-algebra structure, 
satisfying a suitable compatibility condition. 

The definition of ®s relies on an operation called derivation: 


Definition 15 (Endofunctor associated to a binding signature). 


— Let the derivative X’ of any functor X: F — Set be defined by X’(n) = 
X(n+1). 

— Furthermore, let X =X, and X%™) = (X™)’, 

— For any binding arity a = (n1,...,Np), let Bg (X) = OW x... ee, 

— For any binding signature S = (O, ar), let Bs = Xoco Par(o)- 


Proposition 2. Through the equivalence with finitary functors, derivation be- 
comes F'(A) = F(A +1), for any finitary F: Set — Set and A €E Set. 


Example 6. For the binding signature Sa of Example 4 for A-calculus we get 
®s,(X)(n) = X(n)? + X(n4+ 1). 
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Next, we want to express the relevant compatibility condition between alge- 
bra and monoid structure. For this, let us briefly recall the notion of pointed 
strength, see [11,10] for details. 


Definition 16. A pointed strength on an endofunctor F: C — C on a mo- 
noidal category (C,®,I,a,A,p) is a family of morphisms stc,(p,y): F(C) 8 D > 
F(C@D), natural in C € C and (D,v: I— D) € I/C, the coslice category below 
I, satisfying two coherence conditions. 


The next step is to observe that binding signatures generate pointed strong 
endofunctors. 


Definition 17. The derivation endofunctor X + X’ on [F,Set] has a pointed 
strength, defined through the equivalence with finitary functors by 


G(F (X)+v1) F(in,),F (ing) | 


G(F(X) +1) GFX) + F0) SECLE, (F(X +1). 


Product, coproduct, and composition of endofunctors lift to pointed strong end- 
ofunctors, which yields: 


Corollary 2 ([11,10]). For all binding signatures S, ®s is pointed strong. 
At last, we arrive at the definition of models. 


Definition 18. For any pointed strong endofunctor F on C, an F-monoid is 
an object X equipped with F-algebra and monoid structure, say a: F(X) > X, 
s: XQ X > X, andv: I — X, such that the following pentagon commutes. 


F(X) @ X Œ) F(X @ X) = F(X) 


aox| |a 


X8X >, X 


S 


A morphism of F-monoids is a morphism in C which is a morphism both of 
F-algebras and of monoids. We let F-Mon denote the category of F-monoids 
and morphisms between them. 


Example 7. For the binding signature Sa of Example 4, a Ọs, -monoid is an ob- 
ject X, equipped with maps X’ — X and X? — X, and compatible monoid struc- 
ture. Compatibility describes how substitution should be pushed down through 
abstractions and applications. 


Well-behaved presheaves The exoticness we want to rule out only concerns 
the underlying functor of a model, so we just have to define well-behaved functors 
in [F, Set]. 

Well-behavedness for a functor T: F — Set is about getting closed terms 
right. More precisely, for some finite sets m and n, an element of T(m +n) which 
both exists in T(m) and T(n) should also exist in T(0), and uniquely so. This 
says exactly that T should preserve the pullback 
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Remark 9. The reader might wonder about other, i.e., non-empty pullbacks. But 
these are automatically preserved, by [29, Proposition 2.1]. 


Definition 19. 


— A functor F — Set is well-behaved iff it preserves binary intersections, or 
equivalently empty binary intersections. Let [F,Set],,, denote the full sub- 
category spanned by well-behaved functors. 

— For any binding signature S, an object of Ds -Mon is well-behaved iff the 
underlying functor is. Let Bs - Mon,» denote the full subcategory spanned by 
well-behaved objects. 


Example 8. As an example of a non well-behaved finitary monad, consider the 
monad L of A-calculus but edited so that L(0) = 90. 


The important result for comparing the presheaf-based approach with ours 
is the following. 


Proposition 3. The subcategory Bs -Mon,,, includes the initial object. 


Proof. Roughly, closed terms are isomorphic to terms in two free variables that 
use neither the first, nor the second. 


Remark 10. In most natural situations, all models are in fact well-behaved [16, 
Proposition 5.17]. 


4.2 Trimming down De Bruijn monads 


Let us now turn to well-behaved De Bruijn algebras. Here well-behavedness 
is about finitariness. However, it may not be immediately clear how to define 
finitariness of a De Bruijn monad. 


Definition 20. A De Bruijn monad (X,s,v) is finitary iff each of its elements 
x € X has a (finite) support Ny € N, in the sense that for all f: N — N fixing 
the first Ny numbers, the corresponding renaming vo f fixes x. 


Example 9. By Proposition 4 below, the initial S-algebra is finitary, for any 
binding signature S. For a counterexample, consider the greatest fixed point 
vA.N+5(A), for any S with at least one operation with more than one argument. 
E.g., if S has an operation of binding arity (0,0), like application in A-calculus, 
then the term v(0) (v(1) (v(2) ...)) does not have finite support. 


Definition 21. For any binding signature S, let S- DBAlg,,,, denote the full 
subcategory spanning De Bruijn S-algebras whose underlying De Bruijn monad 
is finitary. 


Proposition 4. The subcategory S- DBAlg,,,, includes the initial object. 
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4.3 Bridging the gap 


We may at last state the relationship between initial-algebra semantics of binding 
signatures in presheaves and in De Bruijn monads: 


Theorem 3. Consider any binding signature S. The subcategories Bs - Monu» 
and S-DBAIlg,,, are equivalent. 


Proof. See [16, Appendix A]. 


Remark 11. The moral of this is that, if one removes exotic objects from both 
®;-Mon and S-DBAlg, then one obtains equivalent categories, which both 
retain the initial object. Thus, the two approaches to initial-algebra semantics 
of binding signatures differ only marginally. 

Restricting attention to well-behaved objects, we may thus benefit from the 
strengths of both approaches. Typically, in De Bruijn monads, free variables 
need to be computed explicitly, while presheaves come with intrinsic scoping, 
as terms are indexed by sets of potential free variables. Conversely, in some 
settings, observational equivalence may relate programs with different sets of 
free variables [25]. In such cases, it is useful to have all terms collected in one 
single set. This needs to be computed (and involves non-trivial quotienting) in 
presheaves, while it is direct in De Bruijn monads. 


5 Strength-based interpretation of the binding conditions 


In the previous section, we have compared the category S- DBAlg of models 
of a binding signature in De Bruijn monads with the standard category of ®s- 
monoids [11]. In this section, we establish a different kind of link, by showing 
that, for any binding signature S, both categories S- DBAlg and ®s -Mon are 
instances of a common categorical construction. We have seen that the standard 
category Ds - Mon is constructed from the pointed strong endofunctor ®s, so we 
would like a similar construction of S- DBAlg. However, pointed strong endo- 
functors live on monoidal categories [11,10], while we have seen in Corollary §1 
that N and the tensor product only equip Set with skew monoidal structure. In 
order to bridge this gap, we resort to a generalisation of pointed strengths to 
skew monoidal categories proposed by Borthelle et al. [6]. 

We give a condensed account: the interested reader is referred to [16, §6]. 

The starting point is that the endofunctor Xs associated to any given binding 
signature S may be equipped with a family of maps 


dbss: Xs(X) @Y > Us(X 8Y). 


However, in order for such a map to be well-defined, we need to assume that 
Y features variables and renaming, i.e., that it is a pointed N-module, as we 
now introduce: 


Definition 22. 
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An N-module is a set X equipped with an action X x NN = X 8 N > X. of 

the monoid NN. 

— For such an action r : Xx NN = X @N— X, we generally denote r(x, f) by 
x[f]-, or merely x[| f] when clear from contest. 

— A morphism of N-modules is a map between underlying sets, commuting with 

action in the obvious sense. 

A pointed N-module is an N-module (X,r), equipped with a map v : N > X 

which is a morphism of N-modules. 

— A morphism of pointed N-modules is a map commuting with action and point, 
in the obvious sense. 

— Let N-Mody denote the category of pointed N-modules. 


Example 10. Any De Bruijn monad (X, s, v) (in particular N itself) has a canon- 
ical structure of pointed N-module given by v and r(x, f) =x[vo f]. 


We may now define the map dbss. Lifting of assignments (Definition 3) 
straightforwardly generalises to pointed IN-modules. Recalling the definition 


Bs(X) = )) XPe, 
o0cO 
where ar(o) = (n{,...,n},) for all o € O, we thus simply have: 


Definition 23. For any binding signature S = (O, ar), the De Bruijn strength 
dbss of the induced endofunctor Xs is defined by 


Xs (X) 8Y > Es(X @Y) 
((o, (x1, see Xp,))s a) > (0, ((x1, 1e ©), etsa (Xpo: Te o))), 


for all sets X and pointed N-modules Y, with again ar(o) = (n{,...,n%,,)- 


The fact that any De Bruijn monad is in particular a pointed N-module by 
Example 10 enables the definition of models in the strength-based approach: 


Definition 24. For any binding signature S, a Xs-monoid is an object X, 
equipped with monoid and Xg-algebra structure, say s: X 8 X —> X, v: N> X, 
and a: Xs(X) — X, making the following pentagon commute. 


Zs (X) @ X WS yx @ X) 780), Zs(X) 


aox| |e (3) 


XOX > X 


S 


A morphism of Xs-monoids is a map which is both a monoid and a Xg-algebra 
morphism. 

Let Xs-Mon denote the category of Xs-monoids and morphisms between 
them. 


Remark 12. In [16], this definition is framed in a more general context, notably 
emphasising the fact that dbss is in fact a structural strength on the endo- 
functor Ès. 
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We may at last relate the initial-algebra semantics of §3 with the strength-based 
approach: 


Proposition 5. For any binding signature S = (O,ar) and De Bruijn monad 
(M,s,v) equipped with a map om : MP > M for allo € O with ar(o) = (m,...,Mp), 
the following are equivalent: 


(i) each map om: MP > M satisfies the a-binding condition w.r.t. (s,v); 
(ii) the corresponding map XsM — M renders the pentagon (3) commutative. 


Corollary 3. For any binding signature S, we have an isomorphism Xs - Mon = 
S- DBAlg of categories over Set. 


This readily entails the following (bundled) reformulation of Theorems 1 and 2. 


Corollary 4. Consider any binding signature S = (O, ar), and let DBs denote 
the initial (IN+Xgs)-algebra, with structure maps v: N —> DBs anda: Xs(DBs) > 
DBs. Then: 


(i) There exists a unique substitution map s: DBs ® DBs —> DBs such that 


— the map N@DBs _ DBs ® DBs 2 DBs coincides with the left unit 
of the skew monoidal structure (n, f) => f(n), and 
— the pentagon (3) (with È := Xs) commutes. 
(ii) This substitution map turns (DBs, v, s,a) into a Xs-monoid. 
(iii) This Xs-monoid is initial in Xs - Mon. 


Proof. Let Mon(Set) denote the category of monoids in Set for the skew monoi- 
dal structure. We have an equality Mon(Set) = DBMnd of categories, and the 
algebra structure Xs(DBs) — DBs is merely the cotupling of the maps opp, of 
Theorem 1. This correspondence translates one statement into the other. 


Remark 18. This result hints at a potential push-button proof of Theorems 1 
and 2 (and Corollary 4). Indeed, it is almost an instance of [6, Theorem 2.15]: 
the latter is stated for general skew monoidal categories instead of merely Set, 
but does not directly apply in the present setting, because it assumes that the 
tensor product is finitary in the second argument. 


6 Simply-typed extension 


In this section, we extend the framework of §2—3, which is untyped, to the simply- 
typed case. The development essentially follows the same pattern, replacing sets 
with families. 

We fix in the whole section a set T of types, and call T-sets the objects of 
Set". A morphism X —> Y is a family (X(t) > ¥(t)) ret of maps. 
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6.1 De Bruijn T-monads 


In this subsection, we define the typed analogue of De Bruijn monads. 
The role of N will be played in the typed context by the following T-set. 


Definition 25. Let N € Set" be defined by N(t) = N. 


Remark 14. This provides a countable set of variables at each type, which may 
not quite be what the reader would have called “typed De Bruijn representation” . 
An inconvenience of this representation is that an “erasure” map from typed to 
untyped terms appears to need to rely on a bijection T x N = N for “renaming” 
variables. In particular, not all indices can be preserved by such a map. 


Definition 26. Given a T-set X, an X-assignment is a morphism N > X. 
We sometimes merely use “assignment” when X is clear from contest. 


The analogue of the tensor product X@Y = XxYN will be played by [N, Y]-X, 
i.e., the iterated self-coproduct of X, with one copy per Y-assignment. 


Notation 61. For coherence with the untyped case, we tend to write an element 
of (LN, Y] -X)(7) as (x, f), with x € X(t) and f: N >Y. 
Furthermore, Notation 21 straightforwardly adapts to the typed case. 


The definition of De Bruijn monads generalises almost mutatis mutandis: 
Definition 27. A De Bruijn T-monad is a T-set X, equipped with 


— a substitution morphism s: |N, X] -X —> X, which takes an element x € X 
and an assignment f: N — X, and returns an element x| f], and 
— a variables morphism v: N > X, 


such that for all x € X, and f,g: N —> X, we have 
x[f]ls] =x[fl8]] v(n)[f] = fn) x[v] =x. 


Example 11. The set Asr of simply-typed A-terms with free variables of type T 
in Nx {rT}, considered equivalent modulo a-renaming, forms a De Bruijn monad. 
Variables N — Agr are given by mapping, at any T, any n € N to the variable 
(n,T). Substitution [N, Asr] - Agr > Agr is standard, capture-avoiding substi- 
tution. One main purpose of this section is to characterise Agr by a universal 
property, and reconstruct it categorically. 


Morphisms generalise straightforwardly, and we get: 


Proposition 6. De Bruijn T-monads and morphisms between them form a cat- 
egory DBMnd(T). 
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6.2 Initial-algebra semantics 


We now adapt the initial-algebra semantics of §3 to the typed case. Let us start 
by generalising lifting to the typed case. This relies on a typed form of lifting, 
which acts on all variables of a given type, leaving all other variables untouched. 


Definition 28. Let (X,s,v) denote any De Bruijn T-monad. We first define a 
typed analogue T7 of the T of Definition 3, as below left, and then the lifting of 
any assignment a: N —> X as below right. 


(T")r(m) =v7(n+ 1) (M o)7(0) = v-(0) 
Mra =ve(n) (ift#t’) (M7 o)r(n+ 1) = oT] 

M o)e(n) = or (n) [T] (ft +T). 
Finally, for any sequence y = (T1, ..., Tn) of types, we define |Y” o inductively, 
by l o=o and N o =f" (N7 o), where e denotes the empty sequence. 

We then generalise first-order and binding arities. The main point is: 
Definition 29. A binding arity is an element of (T* x T)* x T, i.e., a tuple 
(((Y1:T1),-- -> (Yp Tp)), T), where each y; € T* is a list of types, and each Ti, as 
yı FTI Les Yp F Tp 


well as T, are types, thought of as an inference rule 
ET 

Example 12. The binding signature for simply-typed A-calculus has two opera- 

tions lam;,z and app, y for all types t and 7’, of respective arities 


, 


TET ET>T ET 


< and ; 
KTT FT 


This allows us to generalise binding conditions, as follows. 


Definition 30. Let a = (((y1,T1),---,(Yp;Tp)); T) be any binding arity, and 
M be any set equipped with morphisms s: [N,M]-M — M andv:N > M. 
An operation of binding arity a is a map o: M(t) x...x M(tp) > M(t) 
satisfying the following a-binding condition w.r.t. (s,v): 


Vo: N > M,x1,...,Xp E M(T1) x...x M(tp), (4) 
O Wigs es Xp)[o] = o0(xi [1 o],....xp [P o]). 
We may now generalise signatures and their models. 


Definition 31. A T-binding signature consists of a set O of operations, 
equipped with an arity map O > (1* x T)* xT. 


Definition 32. Consider any T-binding signature S := (O,ar). A De Bruijn 
S-algebra consists of a De Bruijn T-monad (X, s,v), together with algebra struc- 
ture on X for the underlying first-order signature |S|, in the obvious sense, such 
that for allo € O with arity ar(o) = (((y1, T1), ..., (Yp>Tp)); T), the structural 
map ox: X(T1)X...X X(Tp) > X(t) satisfies the ar(o)-binding condition w.r.t. 
(s,v). 

We denote by S- DBAlg the category of De Bruijn S-algebras and (the obvious 
notion of) morphisms between them. 
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Finally, following the untyped case, we may associate to each signature an endo- 
functor Xs, and we have the following typed extension of the initiality theorem. 


Theorem 4. For any 1-binding signature S, let DBs denote the initial (N+Xs5)- 
algebra, with structure maps v: N — DBs and a: Xs5(DBs) — DBs, inducing 
maps Opps: DBs(t) x ... x DBs(tp) — DBs(t) for all o e O with ar(o) = 
(((Y1: T1), -- -> (Yp: Tp)), T). Then: 


(i) There exists a unique map s: [N, DBs] : DBs —> DBs such that 
— for allt eT, n EN, and f : N —> DBs, sz(v7(n), f) = fr(n), and 
— ‘a ~ o € O, the map opp, satisfies the ar(o)-binding condition w.r.t. 
Sv): 
(ii) This map turns (DBs, v,s,a) into a De Bruijn S-algebra. 
(iii) This De Bruijn S-algebra is initial in S-DBAlg. 


Example 18. While we saw in Example 12 that the De Bruijn monad of simply- 
typed A-calculus terms admits a simple signature, there is another relevant, 
related monad, whose elements at any type are values of that type. (Indeed, 
values are closed under value substitution.) It is relatively straightforward to 
design a binding signature for this De Bruijn monad, following [15]. 


7 Equations 


In this section, we introduce a notion of equational theory for specifying (typed) 
De Bruijn monads, following ideas from [8]. 


Definition 33. A De Bruijn equational theory consists of 


— two binding signatures S and T, and 

— two functors L, R: S- DBAlg — T - DBAlg over DBMnd(1), i.e., making the 
following diagram commute serially, where US and UT denote the forgetful 
functors. 


S-DBAlg ai » T-DBAlg 


DBMnd(T 


Example 14. Recalling the binding signature S, for A-calculus from Example 4, 
let us define a De Bruijn equational theory for 6-equivalence. We take Tg = (1, 0), 
and for any De Bruijn S,-algebra X, 


— L(X) has as structure map (é1, e2) + app(lam(e,), e2) while 
— R(X) has as structure map (ej, e2) > e;[e2- id]. 
(Here e2 - id denotes the assignment 0 e2, n+ 1 > v(n).) 


Definition 34. Given an equational theory E = (S,T,L,R), a De Bruijn E- 
algebra is a De Bruijn S-algebra X such that L(X) = R(X). 

Let E - DBAlg denote the category of E-algebras, with morphisms of De Bruijn 
S-algebras between them. 
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Remark 15. The category E - DBAlg is an equaliser of L and R in CAT. 


Let us now turn to characterising the initial De Bruijn E-algebra, for any De 
Bruijn equational theory E. For this, we introduce the following relation. 


Definition 35. For any De Bruijn equational theory E = (S,T, L, R), with S = 
(O, ar) and T = (O’, ar’), let DBs denote the initial (N+ Xs)-algebra. We define 
~g to be the smallest equivalence relation on DBs satisfying the following rules, 


OF (DBs) (Eb -+ &p) ~E OR(pBg) (21+ ++» ep) 
A , 
ei ~E ĉi bes eq ~E €g 
ODBs (£1; -- -> €q) a ODBs (21s. -s €9) 


for alle,e1,... in DBs, o' € O’ with |ar’(o’)| =p, ando € O with |ar(o)| =q. 


Example 15. For the equational theory of Example 14, the first rule instantiates 
precisely to the 8-rule, while the second enforces congruence. 


Theorem 5. For any equational theory E = (S,T, L, R), E -DBAlg admits an 
initial object, whose carrier set is the quotient DBs/~E. 


Proof. This has been mechanised in Coq [20] and HOL [22]. 


Example 16. The initial model for the equational theory of Example 14 is the 
quotient of A-terms in De Bruijn representation by 6-equivalence. 


Remark 16. In [16, §9], we mention an equivalent way of defining De Bruijn 
equational theories in terms of modules. 


8 Conclusion 


We have proposed a simple, set-based theory of syntax with variable binding, 
which associates a notion of model (or algebra) to each binding signature, and 
constructs a term model following De Bruijn representation. The notion of model 
features a substitution operation. We have experienced the simplicity of this 
theory by implementing it in both Coq and HOL Light. 

We have furthermore equipped the construction with an initial-algebra se- 
mantics, organising the models of any binding signature into a category, and 
proving that the term model is initial therein. 

We have then studied this initial-algebra semantics in a bit more depth, in 
two directions. We have first established a formal link with the mainstream, 
presheaf-based approach [11], proving that well-behaved models (in a suitable 
sense on each side of the correspondence) agree up to an equivalence of categories. 
We have then recast the whole initial-algebra semantics into the mainstream, 
abstract framework of [11,10]. Finally, we have shown that our theory extends 
easily to a simply-typed setting, and smoothly incorporates equations. 
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Abstract. In this paper we prove that the uniform one-dimensional 
guarded fragment, which is a natural polyadic generalization of guarded 
two-variable logic, has the Craig interpolation property. We will also 
prove that the satisfiability problem of uniform guarded fragment is 
NExpTIME-complete. 
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1 Introduction 


The guarded fragment GF is a well studied fragment of first-order logic FO, 
which was introduced by Andréka, van Benthem and Németi [1] as a generaliza- 
tion of modal logic. Informally speaking, GF is obtained from FO by requiring 
that all quantification must be relativised by FO-atoms, which is motivated 
by the observation that ”quantificaction” in modal logics is relativised by ac- 
cessability relations. Like modal logic, GF behaves well both computationally 
and model-theoretically. In particular, it is decidable, it has a (generalized) tree- 
model property and it satisfies various preservation theorems [1,7]. 

We say that a logic £ has Craig interpolation property (CIP), if for every two 
formulas y and Y% of L we have that if y H w, then there exists a third formula 
— the interpolant — x of £, so that p = x, x FÆ y% and x contains only relation 
symbols which occur in both y and y. CIP is widely regarded as a property 
that a ”nice” logic should have and for (reasonable logics with compactness) 
it implies several other desirable model-theoretic properties such as Projective 
Beth Definability and Robinson’s consistency theorem [1,4,13,19]. 

It is well-known that various modal logics have CIP [1,6,19], while GF fails 
to have it [11]. This is somewhat surprising, given that GF is a very natural 
generalisation of modal logic, and certainly raises the question of how the syn- 
tax of GF should be modified so as to obtain a logic which does have CIP, and 
which also behaves well both computationally and model-theoretically. One op- 
tion would be to extend further the expressive power of GF, and in this direction 
we have the guarded negation fragment, which has CIP, is decidable and shares 
with GF various desirable model-theoretic properties [2]. 

The other option (and the one which is more relevant for this paper) is 
to investigate fragments of GF. In this direction we also have a positive result, 
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namely that GF? — the two-variable fragment of GF — has CIP [11]. Given this 
result, it is natural to ask whether there exists a polyadic extension of GF 2 Which 
would also have CIP, where by a polyadic extension we mean intuitively a logic 
which contains GF? and can express non-trivial properties of polyadic relations. 
Indeed, it seems rather unlikely that there would not be such an extension, since 
it is well-known that there are polyadic modal logics which have CIP [1]. 

In [9] the uniform one-dimensional fragment UF, was introduced, which is 
a very natural polyadic extension of the two-variable fragment FO? of FO. 
Roughly speaking, UF, is obtained from FO by requiring that each maximal 
existential (or universal) block of quantifiers leaves at most one variable free and 
that when forming boolean combinations of formulas with more than one free 
variable, the formulas need to have exactly the same set of variables. Formulas 
satisfying the first restriction are called one-dimensional, while formulas satis- 
fying the second restriction are called uniform. In [16] it was proved that UF; 
has the finite model property and the complexity of its satisfiability problem is 
NEXxPTIME-complete, which is the same as for FO? [8]. The research around 
UF) and its variants has been quite active, see for instance [12,14,15,17,18]. 

Given that UF, is a polyadic extension of FO”, the guarded UF, is a natural 
candidate for being a polyadic extension of GF? with CIP. As the first main result 
of this paper we will prove that guarded UF, does, in fact, have CIP. Our proof 
follows closely the argument given in [11] for proving that GF? has CIP, the 
main technical difference being that the proof presented in [11] uses crucially 
the fact that in the case of GF? we can assume live sets to have size at most 
two, while in our case we have to deal with live sets of arbitrary size. 

Since the research around modal-like fragments of FO is largely motivated 
by the fact that their satisfiability problems are often decidable, it is natural 
to also study the complexity of the satisfiability problem of the guarded UF}, 
which was in fact already done in [15]. More precisely it was proved in [15] that 
the satisfiability problem of one-dimensional GF is in NEXPTIME, while it is 
already NEXpTIME-hard for guarded UF. These results left open the problem 
of determining the complexity of uniform GF and as the second main result of 
this paper we will prove that the satisfiability problem of uniform GF is also in 
NEXPTIME (and hence it is NEXPTIME-complete). 

We also emphasize that as a necessary by-product of this second technical 
result, we isolate the uniformity restriction imposed to formulas of UF, as an 
independent syntactical restriction and provide a formal definition for it (which 
so far has been missing from the literature). ' We believe that uniformity is 
an important and a natural syntactical restriction (at least) in the context of 
fragments of FO. Indeed, in addition to UF, there are several known decidable 
fragments of FO which satisfy this restriction up to some degree, such as the 
one-binding fragments introduced in [20] and the ordered logic introduced in [10]. 
We hope that the results presented in this paper provide further motivation for 
the study of various uniform fragments of FO. 


1 To be precise, we only define what it means for a formula to be uniform in the 
context of GF; however, it is easy to extend this definition for other logics. 
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The structure of this paper is as follows. After the preliminaries in Section 2, 
we define a notion of bisimulation for “GF, and establish its basic properties in 
Section 3. After this we will prove that UGFı has CIP in Section 4. In Section 
5 we will establish that the complexity of the satisfiability problem of uniform 
GF is NEXPTIME-complete. The final Section will list some new problems that 
the research conducted in this paper raises. 


2 Preliminaries 


2.1 Notation 


In this paper we will work with vocabularies which do not contain constants 
and function symbols. We will also assume that there are no relation symbols 
of arity 0. We will use the Fraktul capital letters to denote structures, and the 
corresponding Roman letters to denote their domains. Given a model 2 and 
C CA, we will use 2 | C to denote the restriction of 2 to the set C. Given two 
structures 2 and B, we will use 2 < B to denote that 2 is a substructure of B. 

Occasionally we will identify tuples @ = (a1,..., an) with sets {a1,...,an}, 
which allows us to use notations such as b € @and @ = X, where X is a set. Given 
two tuples @ and b of the same length, we will use @+> b and p: @ —> b to denote 


the mapping induced by the relation a; +> bi. Given a tuple @ = (a1,...,@n) and 
a unary function f, we will use f(a) to denote the tuple (f(a1),..., f(@n)). Given 
a positive integer n we will denote [n] = {1,...,n}. Finally, if @ = (a1,..., an) 


and k > n and p : [k] — [n] is a surjection, we will use @,, to denote the tuple 


(aua) ses ,@u(k)): 


2.2 Types and Tables 


The following definitions are standard in the context of UF, and were first 
introduced in [16]. Let o be a vocabulary. Given a set X = {z1,..., £n} of 
distinct variables and a k-ary relation R € ø, we say that an atomic formula 
R(zi,..-, Zip) is an X-atom over o, if X = {£i,..., £i, }. If a is an X-atom, 
then a and ~a are both X-literals over o. A 1-type over o is a maximal satisfi- 
able set of {a}-literals over ø. We identify 1-types m with conjunctions of their 


elements 
Nt) 


A k-table is a tuple (p,71,...,7%), where each me is a l-type over ø, while p 
is a maximal satisfiable set of {a1,...,2,}-literals over ø. We identify k-tables 
(p,71,-+-,7) with conjunctions 
N Pltig pRB) A i Te(Ze). 
1<e<k 


Let A be a o-model. Given a 1-type m over g, we say that a € A realizes v if 
T is the unique 1-type so that A = a[a]; we denote by tp%[a] the (unique) 1-type 
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am over o which is realized by a in 2. For distinct elements aj,...,a, € A we 
will use tp{[a1,...,a@%] to denote the (unique) k-table over ø which is realized 
by the tuple (a1,..., ax). 


2.3 Syntax of Uniform Fragments of GF 


Given a vocabulary o, we define GF [oc] to be the smallest set F which satisfies 
the following requirements. 


— F contains all the atomic formulas over ø, which includes also equalities 
between variables. 

—Ify,w E€ F, then ay € F and (pAW) E F. 

— If Y(T) € F, where each free variable of y occurs in the tuple Z, then 


y(a(z) A Y(T) € F, 


where y C 7 and a is an atomic formula over ø. 


If the vocabulary ø is irrelevant or known from the context, then we will simply 
use GF to denote GF[o]. 

Next we will give a formal definitions for the syntactical notions of one- 
dimensionality and uniformity. We will start by making the technical remark 
that we will define recursively the set of subformulas Sf(y) of p € GF otherwise 
in a standard way, except that for formulas of the form y := 4y(a(Z) A w(Z)), 
we define Sf(y) to be 


{Sy(a(z) A Y(2))} USE((a®) A H(Z))). 


In other words, we treat each maximal sequence of existential quantification as 
a single logical operator. 


Definition 1. Let y E€ GF be a formula. We say that p is one-dimensional, if 
every subformula of yp of the form 


dy(a(x) A y(T)) 


has at most one free variable. In other words each maximal sequence of (guarded) 
existential quantification leaves at most one variable free. 


Next we will define what it means for a formula of GF to be uniform. The 
precise definition turns out to be somewhat technical, and we will start with the 
following auxiliary definition. 


Definition 2. Let X be a (possibly empty) set of variables and let o be a vocab- 
ulary. A relative X-atom over o is a formula © of GF [co] which satisfies one of 
the following conditions. 


1. w is a sentence. 
2. w has a one free variable which belongs to X. 
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3. w is of the form x = y, where x,y € X. 

4. w is an X-atom over o. 

5. w is of the form 3z(a(£) A Y(T)) and the set of its free variables is precisely 
X. 


With the aid of this definition we are in a position where we can define the 
notion of uniformity formally. 


Definition 3. Let p € GF[o] be a formula. We say that p is uniform, if every 
subformula w of p is a boolean combination of relative X -atoms, where X is the 
set of free variables of w. 


Remark 1. Consider a uniform quantifier-free formula Y(x1,..., £) of GF[o}. 
Let A be a o-model and let (a1,...,a,) be a tuple of not necessarily distinct 
elements. Then whether or not 


A H wW(ay,..-, 4K) 


holds depends only on the table of (c1,...,c¢), where (c1,...,¢g) is an arbitrary 
enumeration of the set of distinct elements of (a),..., ax). 


The definition of uniformity is somewhat technical, but the following exam- 
ples should clarify the intuition behind it. 


Example 1. Let o = {S,R,P}, where S is a ternary relation symbol, R is a 
binary relation symbol and P is a unary relation symbol. The formula 


dardy(P(x) A R(x, y) A S(z,y,y) A Rly, x) A Ply))) 


is both uniform and one-dimensional. On the other hand the formula 


Az(S(z, y, z) A P(z)) A R(x, y) A^ S(x, y,X)) 


— 


Sadly 


is uniform but not one-dimensional. Finally, the formula 


JrJyJw(R(z, y) A IzS(z, w, z)) 


is neither one-dimensional nor uniform. 


Example 2. The standard translation of polyadic modal logic into FO results in 
formulas of the form 


Avy... da,~(R(x0,01,..-,2n) A \ Wel(xe)) 


1<e<k 


which are uniform and one-dimensional [5]. 


We will use UGF to denote the set of formulas of GF which are uniform 
and UGF, to denote the set of formulas of GF which are both uniform and 
one-dimensional. Throughout this paper we will use y(21,...,2n), where all the 
variables in the tuple (a1,...,2,) are distinct, to denote a formula of either 
UGF, or UGF such that either {x£1,..., £n} is precisely the set of free variables 
of y or ọ has at most one free variable which belongs to {x1,...,@n} or y is of 
the form z; = xj, where 1 < i, j <n. 
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2.4 Interpolation 
We start by recalling the definition of the Craig interpolation property. 


Definition 4. Given a logic L, we say that L has the Craig interpolation prop- 
erty (CIP), if for every p € Lia] and w € Lit] we have that y = w implies that 
there exists an interpolant x E€ Lla NT] for this entailment, i.e., a sentence for 
which p = x and x = W hold. 


It is well-known that the full GF fails to have CIP. The known examples of 
sentences which demonstrate this can be used to make the following observation. 


Proposition 1. The one-dimensional GF does not have CIP. 


Proof. Consider the following sentences, which are simple variants of the formu- 
las used in [13]. 


p = Awdydz(G(a,y,z) A R(x, y) A Rly, z) A R(z,2)) 


p= Vavy(R(@,y) > (A(x) + >A(y))) 


Notice that both of these sentence are one-dimensional. Now one can show, using 
essentially the same argument as the one used in Example 1 in [13], that there 
is no interpolant for the implication y = 7w. 


We remark that, in the context of fragments of FO, CIP is usually defined 
for formulas instead of sentences (as we have defined it). We could have also 
formulated it for formulas, but we decided to work with sentences for simplicity. 


3 Bisimulation for UGF, 

Given two models 2 and $, and tuples € € A” and d € B” we will use 
(A, €) =o (B, d) 

to denote the fact that for every y(z1,..., £n) E UGF we have that 


AE v(ci,..-,Cn) 1> BE vl(di,...,dn). 


The purpose of this section is to define a corresponding notion of bisimulation for 
UGF which captures the above equivalence relation. We will start by defining 
a suitable notion of partial isomorphism. 


Definition 5. Let A and B be models, and let X := {a1,..., an} C A and 
Y C B. A bijection p: X — Y, is called a uniform partial o-isomorphism 
between A and B, if 


tpg [@1,---,@n] = tpg [p(a1),..-,p(an)]- 
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Quantification in GF over a model 2 is restricted to live subsets of X, i.e., 
subsets of A which are either singletons or are contained in a single tuple @ € R™, 
for some R € ø. In the case of UGF 1 we will need the following modified version 
of the notion of live set, which takes into account the requirement that our 
formulas are uniform. 


Definition 6. Let be a model and let X C A. We say that X is o-live, if either 
|X| <1 or there exists R € o and (a1,...,@n) € R* so that X = {a1,..., an}. 


We are now ready to define the notion of bisimulation for UGF,. 


Definition 7. Let Z be a non-empty set of uniform partial o-isomorphism be- 
tween two structures A and B. Let @ € A” and d € B” be tuples. We say that 
Z is a uniform guarded o-bisimulation between (2,¢) and (B,d), if for every 
p:X >Y €Z the following conditions hold: 


(cover) There exists h € Z with č = dom(h) so that h(¢) = d. 
(forth) For any a € X and a o-live set X' C A, with a € X’, there exists 
q: X! > Y' EZ so that 
pla) = q(a). 


(back) For any b € Y and a o-live set Y' C B, with b € Y', there exists 
q: X! > Y' EZ so that 


If there exists a guarded o-bisimulation between (A, €) and (B, d), then we denote 
this by (A, T) ~o (B, b). 


In what follows we will often refer to uniform guarded bisimulations simply 
as guarded bisimulations. The following two lemmas establish that our notion of 
bisimulation is correct, the first of which can proved in a standard manner by 
using induction. 


Lemma 1. Let 2 and B® be models, and lett € A” and d € B” be tuples so that 
(21,¢) ~o (B,d). Then (A, ©) =, (B, d). 


For the proof of the second lemma we need to recall the definition of w- 
saturated model. A elementary n-type over a vocabulary ø is a consistent set 
of first-order formulas (not necessarily quantifier-free) with free variables in 
{x1,...,2%n}. Given a o-model A, we say that it is w-saturated, if for every 
tuple @ € A” of elements of A we have that each elementary n-type over the 
extended vocabulary o U {a1,...,@,}, where each a; denotes a constant to be 
interpreted as the element a;, which is finitely consistent with the -O-theory of 
(A, T), is realized in (2,@). It is well-known that every o-model, where ø is finite 
and relational, has an w-saturated elementary extension [3]. 


Lemma 2. Let 2% and B be two w-saturated models, and let c € A” and deB” 
be tuples so that (2,7) =, (B, d). Then (A, T) ~o (B, d). 
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Proof. Consider the following set 
Z := {p:@ > b | (Aa) =~ (B, b)}. 


We claim that Z is a guarded o-bisimulation between (2,2) and (8, d). We first 
note that by assumption € > d € Z, and hence Z satisfies (cover). Z also clearly 
consists of uniform partial -isomorphism between 2 and B. What remains to 
be proved is that Z also satisfies (forth) and (back). Since these two cases are 
analogous, we will concentrate on (forth). 

Let p:@ —bE Z, a€ X and X’ := {c1,..., €m} C A be a ø-live set so that 
a € X’. For simplicity we will assume that a = cı. Consider now the following 
elementary m-type 


X := {p(p(a), £2,..., £m) E UGFi[o U {pla)}] | A = yla, c2, . .. Cm) }- 


We claim that X is realized in (B, p(a)). Since B is w-saturated, it suffices to 
show that each finite subset of X is realized in (B, p(a)). Let 


pı (pla), £2, cee iEn) tee , Yr (pla), £2, on +4 £75) E 2. 


Since X’ is o-live, there exists an atomic formula a(z1,..., £m) over o with the 
property that 


A = Jr2 . . . I£m(ala, £2, ..., Em) A VAN wWi(G,22,...,2m)). 


l<i<r 


Note that Definition 6 guarantees that this is indeed a formula of UGF [a]. Since 
(21,@) =, (B,b), we know that 


BE Are... dtm (a(p(a),v2,...,%m) A VAN Wi(p(a), 2,...,;%m)). 


1<i<r 


Thus {v1 (pla), z2, as Xia), EA , Yr(p(a), U2Q,--- » Lm) } is satisfiable in (B, p(a )), 
and hence X is satisfiable in (B, p(a)), say by the tuple (p(a), d2,. . . , dm). Now 
C> d € Z is the mapping we were after. 


Remark 2. Using the two previous lemmas one prove in a standard manner that 
UGF is the maximal fragment of FO which is invariant under uniform guarded 
bisimulation, see for example [2]. 


4 Proof that UGF, has CIP 


In this section we will prove that UGF, has CIP. We will start with the following 
lemma. 


Lemma 3. Leto and T be signatures, and let p E€ UGF,|o] and y € UGF, |r]. 
Suppose that there is no x E€ UGFi[o N T| with the property that p = x and 
x H= Y. Then there is a o-model A and a tT-model B with the property that 
AE vy, B Ey andA= np, B. 
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Proof. Essentially the same argument as the one used in the proof of Theorem 
4.1 in [2] gives the result. 


To give a high level overview of the rest of the proof, suppose that the as- 
sumption of Lemma 3 holds for sentences y and Y, which implies in particular 
that there are models 2 and B so that A ~on- B. Now, what we want to prove 
is that y A 7w is satisfiable. To do this, we will follow a standard approach in 
modal logic [2,11] by constructing an amalgam which has the property that 
Un, A and U ~ B. In particular, it will be a model of p A ~y, since AE p 
and B = ~y. 

Suppose now that A ~on- B and let Z be a guarded (ø N T)-bisimulation 
which witnesses it. Given a pair (@,b) we will use (@,b) € Z to denote the fact 
that there exists p € Z with the property that @ = dom(p) and p(@) = b. In 
other words the relation a; +> b; induces a uniform partial (ø N 7)-isomorphism 
which belongs to Z. 

Before describing the construction of 4, we need to introduce some additional 
notation. Given two tuples @ and b of the same length, we will let (@@b) denote 
the following tuple: 

((a1, b1), sey (an, On)) 


Given (@ 8b), we say that it is left-good, if for every 1 < i < j < n we have that 
if a; = aj, then b; = bj. 7 Similarly we say that (a & b) is right-good, if for every 
1<i<j<n we have that if b; = bj, then a; = aj. Finally we say that (a @ b) 
is good if it is left-good and right-good. Note that if (@@ b) is of length n, k > n 
and u : [k] > [n] is a surjection, then we have that if (@@ b) is left-good, then 
so is (@@ b),,. Analogous observation of course holds for right-good and good. 

As the domain of the amalgam 4 we will take the set U = {(a,b) EAX B| 
(a,b) € Z}, while the interpretations of relation symbols will be defined as 
follows. First, for every R € aM T we define that 


(4@ 6) € R“ iff ac R” and (a,b) € Z 
Then, for every R € (a\r) we define that (@@ b) € RY iff a € R” and one of the 
following conditions holds: 
— (a,b) € Z. 
— (@® b) is left-good and @ is not (ø MT)-live. 


Similarly, for every R € (7\c) we define that (@@b) € RY iff b € R? and one of 
the following conditions holds: 

— (@,b) € Z. 7 

— (@® b) is right-good and b is not (ø T)-live. 
This concludes the construction of 4. This construction is similar to the one 


given in [11] with the exception that we require tuples that are not (ø N T)-live 
to be either right-good or left-good. 


? In other words, if (@@ b) is left-good, then the projection (@@ b) + @ is an injection. 
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We now define 


Zı :={(€@@b) + a| (T8 b) is o-live in WL} 


and 
Zə := {(@ 8b) ++ b | (@@d) is r-live in L.} 


Note that if (@ @ b) is a-live, then by construction it is also left-good (and an 
analogous observation obviously holds for r-live tuples in 4). 


Lemma 4. Zı consists of uniform partial a-isomorphism between U and A, and 
Z consists of uniform partial T-isomorphism between U and B. 


Proof. We will only consider the case of Z1, since the case of Z is analogous. 
Let (@@ b) 4 T € Z1, where the length of (@@ b) is n. We will separately check 
that this mapping preserves 1-types and n-ary atomic formulas. 

Let 1 < i < n and suppose that 


((a;, bi), eare (ai, bi)) € RÄ, 


where R € ø. By construction we know that (a;,...,a;) € R“. Suppose then 
that 
(aj,...,0;) € R”. 


Since by definition of U we have that (a;, bi) € Z, we can conclude that 
((ai, bi), ---, (@i, bi)) € RË. 


Thus (a;,b;) and a; have the same 1-types over o. 

We will then verify that the mapping preserves n-ary atomic formulas. Let 
R € o bea k-ary relation, where k > n, and let u : [k] > [n] be a surjection. 
We need to show that (@ Q 6), € R* iff a, € R”. Again, the left to right 
direction follows immediately from the definition of 4, so we will concentrate on 
the direction from right to left. First we note that if a is not (ø N T)-live, then 
we are done, since then also @, is not (ø N T)-live. 

Thus we can assume that @ is (ø N 7)-live. Now, due to the definition of Z1, 
we know that (@@b) is o-live in U. Hence, by definition of 4, and the fact that @ 
is (ø N T)-live, we know that (a,b) € Z, which is the same as (4, bp) € Z. Now 
we can deduce, due to the definition of U, that (4 @ b), € R“. This, together 
with the fact that (@ @ b) ++ @ preserves 1-types over g, allows us to conclude 
that tp? [a 8 b] = tpg [a]. 


Lemma 5. Zı is a guarded a-bisimulation between U and A, and Z is a 
guarded T-bisimulation between U and SB. 


Proof. Again, we will only consider the case of Z4, since the case of Z2 is analo- 
gous. Due to Lemma 4 we just need to verify (back) and (forth) conditions. Let 


(@@b) + T € Z1, where the length of @ and b is n. 
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(forth) Let (a;,b;) E€ X and let X’ C U be ao-live set so that (a;, bi) € X’. Since 
X’ is a-live, we know that it is of the form {(c1,d1),...,(Cm,dm)}, with 
(€@ d) being left-good. Now (€@ d) ++ © € Z1 is the required mapping. 

(back) Let a; € Y and let Y’ C A be a o-live set so that a; € Y. For concrete- 
ness, suppose that Y’ = {c1,...,¢m}. Consider first the case that Y” is 
not (ø N T)-live in 2. For every 2 < i < m we will pick an element d; 
so that (c;,d;) E€ Z. Note that such elements exists since each singleton 
is a live element. By construction {(c1,d1),...,(Cm,dm)} is o-live, and 
hence (€Q d) > Z € Z1 is the required mapping we were after. 
Suppose then that Y’ is (ø MT)-live in 2. Since (a;,b;) E€ U, we know 
that (a;,b;) € Z. Since Z is a guarded (ø M7T)-bisimulation, there exists 
a set {d,,...,dm} C B so that (c,d) € Z and (a;,b;) € (€@d). In 
particular (€ @ d) is o-live in U, and hence (€Q d) + d € Z1, which is 
the mapping we were after. 


Theorem 1. UGF has Craig interpolation property. 


Proof. Let p € UGFy[o] and y E€ UGF\|T] be sentences so that y = Y, but 
there is no interpolant for this entailment. By lemma 3 there exists a o-model 
A and a 7-model B such that A = y, BK w and A =sn- B. Take w-saturated 
elementary extensions J and B of A and B. Since A =onr $, by lemma 2 we 
have that A ~on, B. Using the construction presented in this section there exists 
a (a UT)-model U with the property that 4 ~, % and U ~, B. Thus U = yy, 
i.e. pAnw is consistent, which is a contradiction with the assumption that y = w. 


5 Complexity of uniform GF 


In this section we will prove that the complexity of the satisfiability problem of 
uniform GF is in NEXPTIME. Since it was proved in [15] that the complexity 
of the satisfiability problem of UGFı is NEXPTIME-hard, this upper bound is 
sharp. 


5.1 Scott normal form 


As usual, we will start by arguing that we can restrict our attention to sentences 
which are in a certain normal form. The normal form that we will use here has a 
somewhat awkward form, but the proof of Lemma 6 should clarify why we chose 
to use it. 


Definition 8. Let y be a sentence of UGF. We say that p is in normal form, 
if it has the following shape 


AN 32(2) A A Ve (ai(®) > W:ET, y) A vil@,9))) 


teT tel 


A Ye(Kj@) > (GE) > Vou Ea) > vE), 


JET 
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where T,I,J are non-empty (finite) sets, Mt, Qi, Bi, kj and yj are atomic for- 
mulas and pi, 0; and Y; are quantifier-free formulas. 


Remark 3. In the definition of the normal form we do not require that the tuples 
y are necessarily non-empty, i.e., we allow formulas of the form VZ(a;(%) > 
w,(Z)) in our normal forms. However, we do require that the tuples z are non- 
empty, and hence we do not allow formulas of the form 34¥(6;(¥) A wi (¥)), where 
the length of y is more than one. 


If y is a sentence of UGF in normal form, then we refer to its conjuncts of 
the form 


vz(ai(T) > Ay(6i(@, 9) A vi(Z,9))) 


as the existential requirements and we will use y} to denote them. Given a model 
A, an existential requirement y? and @ € a” we say that a tuple © is a witness 
for y} anda if 

A H B:(G,e) A Y: (ā, T). 


Conjuncts of the form 
Va(Kj(Z) > (0T) > YJ (T7) > Vi €,7)))) 


will be referred to as the universal requirements and we will use yy to denote 
them. 
Using standard renaming techniques one can establish the following. 


Lemma 6. There is a polynomial nondeterministic procedure, taking as its input 
a sentence p € UGF[o] and producing a sentence yp! € UGF|o'] in normal form, 
where o’ D o, such that 


1. if A = y for some model A, then there is a run of the procedure producing 
a normal form vy! such that W = y! for some expansion W of A to the 
vocabulary a’, 

2. if the procedure has a run producing y' and W = y', for some A’, then the 
o-reduct A of W satisfies yp. 


Proof. We will essentially follow the proof of lemma 1 in [15], with some small 
technical modifications. Let p € UGF [a] be a sentence, which w.lo.g contains 
only existential quantification. Let w be the innermost formula of p which starts 
with a block of existential quantifiers. If ọ is a sentence, we will nondeterminis- 
tically either replace it with L or T and add w or ~y (depending on our guess) 
as a conjunct to the resulting formula. Suppose then that w is a formula of the 
form 


y(a(z,y) A v(z, 9). 


Since y was a sentence, w~ occurs in a scope of another formula of the form 


Iz(a' (€) A Y'(T)), 


SE) 
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where Z C 7. Let a’ be the guard of the innermost such formula. We will now 
replace y with the following formula 


gl (a) /R(@)] AVa(R(®) > (a(z, y) A v@,9))) 


NE(a' (2) > (4R(Z) > Yyla(z, y) > V9), 


where y[y(T)/R(T)] is the sentence obtained from ọ by replacing the previously 
mentioned subformula 7(Z%) with the atomic formula R(®) which has a fresh 
relation symbol R. It is straightforward to verify that the resulting sentence is 
equi-satisfiable with y. 

Now one can repeat the above procedure until one is left with a sentence of 


the form 
EC t(Z) A Wek NA Awa Ag. 


teT tel jEJ 


where each y? is an existential requirement, while each sentence yy is an univer- 
sal requirement. Now one can replace each conjunct Jx... Jzn (a(x1,..., £n) A 
1(@1...2y)) with a sentence of the form 


JxrA(x) A Vo An (aa) > x2... IEn (Ce ig .r eg En) A Pelt,- ey En))), 


where Az is a fresh unary relation symbol. The resulting sentence is clearly equi- 
satisfiable with the original sentence and furthermore it is in normal form. 


5.2 Satisfiability Witnesses 


A standard technique in proving that the complexity of the satisfiability problem 
of a given fragment of FO is in NEXPTIME is to show that each satisfiable 
sentence of this fragment has a finite model of size at most exponential with 
respect to the length of the sentence [8,12,15,16]. However, in the case of UGF 
it seems to be easier to show that we can associate to each of its sentences p 
a different type of certificate, which is still at most exponential with respect to 
the length of the sentence, and which can be used to construct a (potentially 
infinite) model for y. 


Definition 9. Let p € UGFlo] be a sentence in normal form, P be a set of 
1-types over o and n E€ P. A pair (2,c), where c € A, is called a (P, m)-witness 
for p, if it satisfies the following requirements. 


1. tpg[c] = r. 

2. For everya€ A we have that tpg|a] € P. 

3. For every existential requirement p} and for every tuple @ which contains c 
we have that if A |= a;(@), then nos exists a witness for p; and T. 

4. For every universal requirement yy and for every tuple G@ which contains c 


we have that if A = «;(@) A 0;(@), then for every tuple b we have that 


A E (T, b) > p; (3, b). 
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Here the intuition is that a (P, 7)-witness (21, c) is a local certificate; it certifies 
that we can provide witnesses for tuples which contain the element c. The main 
idea now is that if we have a (P,7)-witness for each 7 € P, then we can use 
them to construct a proper model for y. 


Definition 10. Let p © UGF lo] be a sentence in normal form. A set of 1-types 
P over o is a witness for p, if it satisfies the following two requirements. 


1. For every conjunct 3zA+(z) there exists n € P so that \z(x) E€ T. 
2. For every n E€ P there exists a (P,1)-witness for P. 


The following lemmas prove that an existence of a witness for y is equivalent 
with the satisfiability of vy. 


Lemma 7. Let p EUGF be a sentence in normal form. If p is satisfiable, then 
there exists a witness for it. 


Proof. Suppose that 2 |= y. As the set of 1-types P we can take the set 
{tPala] | a € A}. 


Clearly for every conjunct 4zA;(z) there exists a suitable 1-type in P. Towards 
verifying the second requirement let 7 € P and let c € A be an element which 
realizes 7. Then (%, c) is clearly a (P, m)-witness for y. 


Lemma 8. Lety EUGF be a sentence in normal form. If there exists a witness 
for p, then it is satisfiable. 


Proof. For simplicity we will assume that y contains exactly one conjunct of the 
form 3zA(z). Let P be a witness for y. Thus for every m € P there exists a 
pair (2",c) which is a (P, 7)-witness for y. Our goal is to use these witnesses to 
construct a sequence of models 


Ay < Ay < Az <... 


so that their union is a model of ọ. 

Let m € P be a 1-type so that m = A+. As the model 2; we will take the 
model which contains a single element with 1-type 7. Suppose then that we have 
defined X, in such a way that each 1-type realized in 21, belongs to P. To define 
the model 2l,,,; we will proceed as follows. Given a € 2,,, we will use W to 
denote the set A” — {c}, where A” refers to the domain of the model in the 
(P,7)-witness (2(",c) of T := tpg, [a]. Without loss of generality we will assume 
that the sets W, are pairwise disjoint. Now we will define 2,4; as follows. 


— The domain of the model is 


Anu LJ W; 


ac An 


— A411 | An is defined to be isomorphic with Apn. 
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— For each a € A, and for each {c1,...,¢m} C Wa, we define that 


tPg,,,, [@, Clyeeey Cm] = tpg [c, Cl; +. ‘ml 


where 7 is the 1-type of a. 

— For every tuple (a1,...,@n) and a m-ary relation R for which we have not 
yet defined whether (a1,...,@m) belongs to R*"+1, we will simply define 
that it does not belong to it. 


The last step guarantees that if a tuple, which contains more than one element, 
is live in 2,41, then it was already alive in one of the models 2”. It is straight- 
forward to verify that the union of the models (An)n<w is indeed a model of 


p. 


5.3 Complexity of UGF 


Although the size of a witness for y is clearly only exponential with respect to 
|y|, we do not yet have any upper bounds on the time it takes to verify that it 
really is a witness for y. The following lemma gives us such a bound. 


Lemma 9. Let p E UGF be a sentence in normal form and let o denote the 
vocabulary of p. Let P be a set of 1-types over o and x € P. If there exists a 
(P, )-witness for p, then there exists one in which the size of the model is at 
most 21¢10 , 

Proof. Let (A, c) be a (P,7)-witness for y and let m = max{ar(R) | R€ o}. 
Note that m < |y|. Our goal is to construct a sequence 


Bi <- < Bm 


o(a) 


of models so that (Bm, c) is a (P,7)-witness for y and |Bm| < 2!" . As the 
model 8, we will take the model which contains a single element with 1-type 7; 
let e denote this element. 

Before moving forward, we will introduce one auxiliary definition. Let @ = 
(a1,...,@,) and b = (b1,...,bn) be tuples of elements from two models 2 and 
B. Let {c1,...,Cm} denote the set of distinct elements in @. We say that @ and 
b are similar, if the mapping p : @ > b, which was the mapping induced by the 
relation a; +> b;, is a bijection and furthermore 


tpg (C1, tee „Ĝji T tP [p(c1), Dry ,P(cn)]- 


Suppose now that we have defined Bg, where k < m, and in such a way that 
for each ø-live tuple b for which tpg, [6] has been defined, there exists a similar 
tuple @ which consists of elements of XA. Given an existential requirement (97 of y 
and a tuple b € ar. which contains the element e, we say that b is a i-defect if 
there exists no witness for y7 and b in the model By. By construction, for each 
i-defect b we can find a tuple @ of elements of 2 so that b and @ are similar. In 
particular @ € a, and hence there exists a witness € for y7 and @ in A; let Wz 
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denote the set of elements in € which were not contained in @. Without loss of 
generality we will assume that the sets W;, are pairwise disjoint. Now we will 
define 8,41 as follows. 


— The domain of the model is 


BULL) U W 


i€1 6 an i-defect 


— Brii | Br is defined to be isomorphic with Bg. 
— For each i-defect b and a set Wy , = {c1,..., Cn} we define that 


tps, (di, tee dr, C1, oe 15 Cn| = tpy[p(d1), see ,P(d-), C1, tee Crs 


where (d,,...,d,) enumerates all the elements occurring in b and p: b > @. 

— For every tuple (b1,...,0,) and a n-ary relation R for which we have not yet 
defined whether (b1, ..., bn) belongs to R®*+, we will simply define that it 
does not belong to it. 


This completes the construction of the models %1,..., Bm. To bound the 
size of Bm, we first note that |Byiil < |Bx| + |y||Dx|, where Dk denotes the 
number of defects in By. By construction, for every defect (di,...,d,) of Bk 
the set {d,,...,d,} is a o-live set which is not contained in By, for any £ < k. If 
k = 1, then the number of such go-live sets is one, and if k > 1, then the number 
of such go-live sets is D1. Since each o-live set is of size at most |p|, there are at 
most |ip||y|!?!Dp_1 = givl° D,_, defects in Br, i.e., Dk < givlo™ 
m < |p|, we have that Dp < ail? for any k < m, and hence |Bm] < 21? 

Thus what remains to be proven is that (Bm,e) is a (P,7)-witness for y. 
Here the only non-trivial requirement that we need to verify is that Bm satisfies 
the second item in definition 9. So, let y} be an existential requirement and let 
b= (bj, 14-404) € ar be a tuple which contains e. We can clearly assume that 
n < m. It suffices to show that b is contained in Bg, for some k < m, since then 
by construction we know that it has a witness in Bm. 

Aiming for a contradiction, suppose that b is contained in Bm, but it is not 
contained in B+ for any k < m. By construction we know that, since b is o-live, 
we assigned a table to some tuple (bj,...,b/.), where (bi,...,b/.) enumerates the 
set of distinct elements of (b1,...,5,). Again, by construction we know that we 
assigned a table to the tuple (b/,,...,/.), because we wanted to provide a witness 
for some tuple (di,...,ds), which contains e and for which {d1,...,ds} is a strict 
subset of {b),...,6/.}.3 

Now observe that (d1,...,d;) is a o-live tuple containing e, which is contained 
in $,,—1 but is not contained in S$, for any k < m—1. Indeed, if it were contained 
in Bg, for some k < m—1, then by construction we would have provided a witness 
for it in the model Bz41, i.e., (b1, ..., bn) would have been contained in Bk41- 
But now we are in a position which is the same as the one that we started in; in 


Dz_1. Since 
jom 


3 Tf it were not, there would have been no need to provide a witness for it. 
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particular, we can repeat the above argument. After repeating the argument (at 
least) (n — 1)-times we would end up with the conclusion that e is contained in 
some B, where k > 1, but it is not contained in %1, which would be an obvious 
contradiction. 


Now we can prove the main theorem of this section. 
Theorem 2. The satisfiability problem of UGF is NEXPTIME-complete. 


Proof. The lower bound follows from the proof of Theorem 3 in [15]. We will give 
an informal description of a non-deterministic procedure running in exponential 
time which determines whether a given sentence y € UGF is satisfiable. It starts 
by converting y into an equi-satisfiable sentence y’ E€ UGF in normal form, after 
which it guesses a set of 1-types P over the vocabulary of y’ and for each 7 € P 
a (P,7)-witness (X, c) for p, where the size of 2 is at most aivi° Lemmas 6, 7, 
8 and 9 guarantee that this procedure is correct. Since |P| < 2!*!, the algorithm 
runs in exponential time with respect to |y]. 


6 Conclusions 


In this paper we have proved two results of quite distinct flavour on uniform 
guarded fragments. The first result was that although GF fails to have Craig 
interpolation, its one-dimensional uniform fragment does have it. The second re- 
sult was that the complexity of the satisfiability problem of the uniform guarded 
fragment is NEXPTIME-complete. The results presented in this paper suggest 
several new research questions, but here we will mention just two of them. 

The first question is whether or not the uniform GF has Craig interpolation 
property. While the correctness of the amalgam construction presented in Section 
4 rests on the assumption of one-dimensionality, we have not been able to show 
that uniform GF would not have Craig interpolation property. This has led the 
author to conjecture that the uniform GF does in fact have Craig interpolation 
property. 

The second question is whether or not uniform GF has the exponential model 
property (note that if uniform GF would have an exponential model property, 
then one would obtain Theorem 2 for free). As we saw in the proof of Lemma 
9, the requirement of uniformity essentially prevents uniform GF from enforcing 
long paths, and this seems to suggest that uniform GF can only enforce expo- 
nentially long paths (which it can enforce, since it contains standard modal logic 
with the global diamond). Because of this, the author conjectures that uniform 
GF has the exponential model property. 
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Abstract. Monad-comonad interaction laws are a mathematical con- 
cept for describing communication protocols between effectful compu- 
tations and coeffectful environments in the paradigm where notions of 
effectful computation are modelled by monads and notions of coeffect- 
ful environment by comonads. We show that monad-comonad interac- 
tion laws are an instance of measuring maps from Sweedler theory for 
duoidal categories whereby the final interacting comonad for a monad 
and a residual monad arises as the Sweedler hom and the initial residual 
monad for a monad and an interacting comonad as the Sweedler copower. 
We then combine this with a (co)algebraic characterization of monad- 
comonad interaction laws to derive descriptions of the Sweedler hom and 
the Sweedler copower in terms of their coalgebras resp. algebras. 


Keywords: (co)monads - (co)algebras - interaction laws - runners - 
duoidal categories - Sweedler operations 


1 Introduction 


The monad-comonad interaction laws of Katsumata et al. [16] are a mathemat- 
ical concept for formalizing ways in which effectful programs (e.g., programs 
reading from and writing to a store, programs making nondeterministic choices) 
can be run. The idea is that effectful programs issue requests to the outside 
world; they can thus run on machines that can service such requests. Programs 
denote computations, machines implement environments. Notions of computa- 
tion are modelled by monads in the manner first explained by Moggi [23], while 
notions of environment can be modelled by comonads. Interaction laws model 
protocols of cooperation between computations and environments. Ideally, inter- 
action should result in a return value and a final state. But it may be that some 
effects cannot be serviced, in which case interaction yields a residual computa- 
tion of a return value and a final state; another monad is then needed to model 
the suitable notion of residual computation. A monad-comonad interaction law 
is therefore given by a monad T, a comonad D and a monad R on a symmetric 
monoidal category with a family of maps TX & DY > R(X & Y) natural in X 
and Y and agreeing with the (co)units and (co)multiplications. If R = Id, we 
have a non-residual interaction law. 

It is natural to ask for useful methods for recognizing and constructing 
monad-comonad interaction laws. Specifically, it would be useful to find: a final 
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monad for a given interacting comonad and residual monad; a final interacting 
comonad for a given monad and residual monad; or an initial residual monad 
for a given monad and interacting comonad. 

In this paper, we show how to find these universal (co)monads, elaborating on 
some ideas and results from prior work on interaction [16,33]. We emphasize that 
the most important structural foundation for interaction laws is the duoidal [10,2 
interrelationship of the composition and Day convolution monoidal structures in 
endofunctor categories. It is so significant that some central statements about 
interaction laws can be made on the level of monoids and comonoids in general 
symmetric closed duoidal categories, completely suppressing any specifics about 
monads and comonads. In fact, it turns out that monad-comonad interaction 
laws are an instance of measuring maps from the Sweedler theory for duoidal 
categories as developed by López Franco and Vasilakopoulou [20]. The universal 
(co)monads are instances of the operations studied in this theory. In particular, 
the final interacting comonad is an instance of the Sweedler hom and the initial 
residual monad is an instance of the Sweedler copower. 

To obtain results about monad-comonad interaction specifically, we combine 
this general perspective with the characterization of monad-comonad interac- 
tion laws by Uustalu and Voorneveld [33] as functors between the categories of 
(co)algebras of the (co)monads involved. This allows us to describe the Sweedler 
hom and the Sweedler power via their categories of (co)algebras in terms of what 
we call stateful and continuation-based runners. 

We also discuss an enriched version of monad-comonad interaction laws, of 
which strong monad-comonad interaction laws are a special case. In this case, 
both kinds of runners of an enriched monad on a self-enriched category can be 
viewed as its algebras in another enriched category. 

The paper is organized as follows. First, in Sect. 2, we review the basics 
of monad-comonad interaction laws. In Sect. 3, we show that monad-comonad 
interaction laws, the universal interacting comonad and the universal residual 
monad are an instance of measuring maps, the Sweedler hom and the Sweedler 
copower in symmetric closed duoidal categories. We then review the (co)algebraic 
perspective on monad-comonad interaction laws in Sect. 4, and apply it to derive 
(co)algebraic characterizations of the Sweedler hom and the Sweedler copower 
in Sect. 5. In Sect. 6, we comment on enriched monad-comonad interaction laws. 
We review some background category theory literature and related semantics 
work in Sect. 7. New material is primarily in Sects. 5, 6; some statements in 
Sect. 4 are also new. 

We assume from the reader familiarity with the use of (strong) monads in 
mathematical semantics to model notions of effectful computation, and familiar- 
ity with the basics of the categorical machinery we need (monads and comonads, 
symmetric monoidal closed categories, accessibility [21,1], enrichment [17]). 


2 Monad-Comonad Interaction Laws 


We begin by reviewing the basics of monad-comonad interaction laws [16]. 
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Consider a symmetric monoidal closed category (C, 1, &, —), e.g., a Cartesian 
monoidal closed category, e.g., Set. 

A (residual) functor-functor interaction law is given by endofunctors F, G, 
H on C together with a family of maps 


oxy: FX ®@GY > H(X @Y) 


natural in X, Y. We speak of a non-residual interaction law when H = ld. 
A map between (residual) functor-functor interaction laws (F,G,H,@) and 
(F", G’, H’, ¢’) is given by natural transformations f : F > F’,g:G' > G 
and h : H — H’ satisfying the equation 


Yx,Y 
FX@gy FX & GY — H(X @Y) 
oe 
FX @G'Y [rxov 
~e vy y 
fx®GY F'Xg&@'Y — > H'(X 8Y) 


Functor-functor interaction laws form a category that has a monoidal structure 
based on endofunctor composition. 

A (residual) monad-comonad interaction law is given by a monad T, a 
comonad D and a monad R on C with a family of maps 


natural in X, Y, that additionally satisfies the equations 


YPTX,DY Rýx,Y 
tee XOY SS oY ugsy TTX @ DDY —> R(TX 8 DY) —> RR(X 8 Y) 
X @ DY [nts TTX @ DY [et 
> oxy : Y 
Qid , id x,Y 
NXE" TX @ DY —> R(X @Y) bes TX @ DY R(X @Y) 


(Every such interaction law gives a functor-functor interaction law 
(UT,UD,UR,w), where U sends (co)monads to their underlying functors.) 
When R = Id, we speak of a non-residual interaction law. A map between (resid- 
ual) monad-comonad interaction laws (T, D, R, a) and (T’, D’, R’, Y’) is given by 
a monad map T —> T’, a comonad map D’ + D and a monad map R —> R’ that 
make a map between the underlying functor-functor interaction laws. Monad- 
comonad interaction laws form a category isomorphic to the category of monoid 
objects in the category of functor-functor interaction laws. 


Example 1. Let C = Set (or any SMCC). Take TX = S > (S x X) (the state 
monad) and DX = So x (So = X) (the costate monad). There is a non-residual 
monad-comonad interaction law of T, D when S$ = So and more generally when 
S, So come with a lens structure get : So > S, put : So x S — So; in fact, these 
laws are in bijection with lenses. 

Let C = Set (or any extensive category that also has the relevant initial 
algebras and final coalgebras). Take FX = 1+ X? and T the free monad on 
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F, so TX & pX'.X +14 X” (leaf-labelled nullary-binary trees). The only 
comonad D that can interact with T non-residually is DY = 0. If we take 
RZ = 1 + Z, we have an R-residual interaction law of T and D for example for 
DY =vY".Y x (2 x Y’) (node-labelled bitstreams), i.e., the cofree comonad for 
GY =2 xY. 

See [16,33] for further examples and their intuitive meaning for semantics. 


Some equivalent formulations of interaction laws will be useful. Due to the 
bijections 
FX & GY —> H(X @Y) nat. in X, Y 


C(X 8Y, Z) > C(FX ® GY, HZ) nat. in X, Y, Z 
C(X,Y = Z) => C(FX,GY — HZ) nat. in X, Y, Z 
F(Y — Z) => GY — HZ nat. in Y, Z 


an H-residual functor-functor interaction law of F, G is the same as a family of 
maps 
ġy,z : F(Y — Z) => GY — HZ 


natural in Y, Z. Under this view, the equation required of a functor-functor 
interaction law map (f, g, h) between (F, G, H, ¢) and (F', G’, H’, ¢’) becomes 


PY,Z 
F(Y — Z) —> GY — HZ 
syz] | ov—ohz 


1 


Y,Z 
F'(Y — Z) —>G'Y — H'Z 


An R-residual monad-comonad interaction law of T, D is the same as a family 
of maps 
Wy,z: T(Y — Z) — DY — RZ 


natural in Y, Z satisfying 


Ty, zZ VDY,RZ 
Y—Z Y—Z TT(Y — Z) —> T(DY — RZ) —> DDY — RRZ 
woz | Jeg uy—z | | orug 
Vy, Z vY.Z 
T(Y — Z) —> DY — RZ T(Y + Z) DY — RZ 


Suppose F, G, H : C > C are such that the coends and ends 


(F*G)Z=[~*C(X @Y,Z)e(FX@GY) =f* F(Y ~Z)@GY 
(G — H) X = fy ,C(X,Y — Z) h (GY — HZ) = f GY — H(X @Y) 


exist. (F xG is called the Day convolution.) Then, because of the bijections 
[**C(X 8Y, Z) e (FX 9 GY) > HZ nat. in Z 
C(X QY, Z) > C(FX ® GY, HZ) nat. in X, Y, Z 


C(X,Y — Z) > C(FX, GY — HZ) nat. in X,Y, Z 
FX > fy ,C(X,Y — Z) th (GY — HZ) nat. in X 
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an H-residual functor-functor interaction law of F,G turns out to be the same 
as a natural transformation F x G => H or F —> G — H. An R-residual 
monad-comonad interaction law of T, D is the same as a natural transformation 
UTxUD = UR satisfying certain equations and also—by way of a particularly 
concise characterization—the same as a monad map T > D — R where D ~ R 
is a certain canonical monad with UD —x UR as the underlying functor. 

Now, if C is locally presentable and F, G, H are accessible, then F x G and 
G-*H are guaranteed to exist and be accessible. Writing [C, C]a for the category 
of accessible endofunctors on C, we obtain functors x : [C, C]a x [C, C]a > [C, C]a 
and — : [C, C]9? x [C, C]a > [C, C]a. Together with J € [C, C]a defined by JZ = 
C(I, Z) è I, the functor * equips [C,C], with a symmetric monoidal structure. 
We also get that — x Gt G — —, i.e., this structure is closed. The functor 
— : [C,C]eP x [C, C]a > [C, C]a is lax monoidal wrt. the composition monoidal 
structure on [C,C],. That UD — UR carries a monad structure if D is an 
accessible comonad and R is an accessible monad is a consequence of this. 

These observations suggest the possibility of abstraction by switching to a 
more general setting. Instead of considering [C,C],, we can consider an arbi- 
trary category D equipped with a monoidal structure and a symmetric monoidal 
structure that suitably agree. The appropriate notion of agreement is duoidal- 
ity [10,2]. We will next consider this abstraction and see that monad-comonad 
interaction laws are the measuring maps of an instance of López Franco and 
Vasilakopoulou’s Sweedler theory for duoidal categories [20]. 


3  Sweedler Theory for Duoidal Categories 


We review the Sweedler theory for duoidal categories [20] and show that monads 
provide an instance. 

Assume a symmetric duoidal category (D,J,°,J,*), i.e., a symmetric 
monoidal category in MonCAT plax, that is also closed in the sense that — x G 
has a right adjoint G —x — in CAT. Explicitly, this means that we have a cate- 
gory D equipped with a monoidal structure (I, ¢), a symmetric monoidal closed 
structure (J, x, —x) and structural laws 


J=>I J=>JoJ 
IxI>I (FoG)x(HoK)—>(FxH)o(GxK) 


satisfying appropriate equations witnessing oplax monoidality of J : 1— D and 
x: D x D > D as functors between monoidal categories for the (J, o) monoidal 
structure on 


3 If C is locally x-presentable with the «-presentable objects closed under | and ®, 
then the «-accessible endofunctors on C form a monoidal category with x as tensor. 
Garner and Lépez Franco [13, Sect. 8.1] show that this monoidal category is closed, 
but their closed structure is different from ours. Our G — H has the property that 
natural transformations F — G —x H are H-residual functor-functor interaction laws 
of F, G even if F is not accessible; this is not the case for Garner and López Franco’s. 
This is why we do not restrict to fixed «, and instead use all of [C, C]a. 
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The internal hom object F — I is called the dual of F. Stretching this ter- 
minology, the object F —x H can be called the dual of F wrt. H. 

We write Mon(D) (respectively Comon(D)) for the categories of monoids 
(resp. comonoids) in D wrt. the (J,¢) monoidal structure. 

The composition monoidal and Day convolution symmetric monoidal closed 
structures (Id,-) and (J,*,—*) on [C,C], yield an example of such a symmetric 
duoidal category D. The categories Mon([C, C],.) and Comon([C, C],) are those 
of accessible monads and comonads. 

The object J has a comonoid structure J > I, J => Jo J, and the functor 
— : D x D — D is lax monoidal wrt. the (J,¢) monoidal structure. The 
operations 

*:DxD—-D 
—:DPxD-D 


lift to 


x : Comon(D) x Comon(D) > Comon(D) tensor of comonoids 
— : (Comon(D))°? x Mon(D) > Mon(D) power of a monoid 


in the sense that 


Comon(D) x Comon(D) —+ Comon(D) (Comon(D))°? x Mon(D) n Mon(D) 


uxu | fe vxo] Į? 


DxD * >D Dp? xp — > >p 


via 
e= Dox Dı SOE E N 
S= Dox Di Č (Do o Do) » (D1 o D1) —> (Do x D1) o (Do » D1) 


n 


R 
D — R 


n= I a 


bp 


u= (D-* R) o (D =~ R) —> (DoD) - (Ro R) —> D =R 


Comonoid maps Dp » Dı — D are the same as maps Y : U Do x U Dı > UD 
satisfying 


p p 
Do x Dı ——> D Do x Dı D 
soer | |e sossa | Je 
pop 
I xI —— I (Do © Do) * (D1 © D1) ——> (Do * D1) © (Do * D1) ——> DoD 


(omitting the Us in the equations). Such maps w could be called D-residual 
comonoid-comonoid interaction laws of Do, D1. 

Monoid maps T —> D — R are in bijection with maps Y% : UT «UD > UR 
that satisfy 


pow 
IxI ——>1 (T oT) * (DoD) —> (T x D) o (T x D) > RoR 
ee eS 
IxD n® (ToT) *D ak 


oP ap te R aes 9 


TxD R 
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(again omitting the Us in the equations), which are known as measuring maps 
from T to R by D and which we can also call R-residual monoid-comonoid 
interaction laws of T, R. 

The three Sweedler operations 


C : (Comon(D))°? x Comon(D) > Comon(D) internal hom of comonoids 
> : Comon(D) x Mon(D) + Mon(D) Sweedler copower of a monoid 
M : (Mon(D))°? x Mon(D) + Comon(D) Sweedler hom of monoids 
(univ. measuring comonoid) 


are everywhere defined by the following adjunctions if the adjoints exist. 


Comon(D) Mon(D) Comon(D) 
—*Di( 4 Yew) D>- ( 4 yo-- ->r( 4 wn —) 
Comon(D) Mon(D) Mon(D) 


They are defined for specific pairs of (co)monoids if the universal objects specified 
by the following bijections exist. 


UT x UD > UR meas. 


To D-«R 
Do x Di > D DeTrOR 
Do > C(D1, D) D => M(T, R) 


The comonoid M(T, T) is called the Sweedler dual of the monoid T. 

By definition, the comonoid C(D,, D) is the final comonoid interacting with 
the comonoid D, D-residually. The Sweedler hom M(T,R) is the final R- 
residually interacting comonoid for the monoid T. The Sweedler copower D> T 
is the initial residual monoid for monoid-comonoid interactions of T and D. 

If the Sweedler operations are everywhere defined, for which it suffices that 
) is locally presentable [20, Thm. 20], then the category (Comon(D), J,x,C) is 
symmetric monoidal closed and the category (Mon(D), >, —x, M) is copowered, 
powered and enriched over (Comon(D), J,*,C). However, local presentability 
of C is not enough for local presentability (or even accessibility) of [C, C]a (for 
example, [Set, Set], is not accessible). In Sect. 5, we return to the question of 
everywhere-definedness of the Sweedler operations for [C, C]a. 

The Sweedler theory perspective allows us to establish some facts about 
interaction laws of free monads very easily. For example, we can straightforwardly 
derive a characterization of measuring maps from the free monoid F* on F 
(assuming it exists). 


Proposition 1. Measuring maps U(F*)*xUD —> UR are in bijection with maps 
FxUD > UR. 
Proof. This is witnessed by the following chain of bijections. 

FxUD > UR 

F= UDUR 

F + U(D -« R) 

F* > D ~R 
U(F*)xUD > UR meas. 
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Similarly, we can calculate closed-form expressions for the Sweedler hom from 
a free monoid and the Sweedler copower of a free monoid. Here Gt denotes the 
cofree comonoid on G (if it exists). 


Proposition 2. (i) M(F*, R) = (F «UR). (ii) D> F* = (FxUD)*. 


Proof. (i) As witnessed by the chain of bijections on the left below, comonoid 
maps D — M(F*,R) and comonoid maps D + (F —x UR)! are in bijection 
naturally in D. (ii) The chain of bijections on the right below composes to a 
bijection natural in R between monoid maps D > F* — R and monoid maps 
(FxUD)* > R. 


D => (F ~UR) (FxUD)* >R 
UD>F>UR FxUD>UR 
F+UD-«UR F>+UD-«UR 
F + U(D-« R) F => U(D =R) 
F* > D — R F* > D — R 
D => M(F*, R) D> F* >R 


Example 2. Let C = Set. (i) Take F = 0, then F* = Id. We can calculate 
F ~UR = 1, therefore M(F*, R) = ld, for any monad R. 

Next take FX = X?, then F*X ~ uX’. X + X” (these are leaf-labelled 
binary trees). We can calculate (F ~«UR)Y = R(2 x Y), hence M(F*, R)Y = 
vY'.Y x R(2 x Y’) (node-labelled streams of bits for R = Id, node-labelled 
nonempty colists of bits for RZ = 1 + Z). 

Finally, take FX = 1+ X?, then F*X ~ wX'.X +1 + X” (leaf-labelled 
nullary-binary trees). We calculate (F —x UR)Y ~ RO x R(2 x Y), hence 
M(E*,R)Y = vY'.Y x RO x R(2 x Y’). For R = Id and any R such 
that RO = 0, this means that M(F*,R) S 0. For RZ = 1 + Z, we get 
M(E*,R)Y = vy’. Y x (1+2 x Y’) (node-labelled nonempty colists of bits). 

(ii) Take F = 0, then F* S Id. We can calculate (F x UD) & 0, hence 
D >œ F* =ld, for any comonad D. 

Take FX = X?, then F*X ~ uX’. X +X". We can calculate (F xUD) Z = 
D (Z?), therefore (D> F*) Z S uZ’. Z + D (Z°). 

Take FX = 1 + X?, then F*X & uX'.X +1 + X". We can calculate 
(FxUD)Z D1 +D (Z?), therefore (D > F*) Z S pZ'.Z + D1+ D(Z?). 

These examples generalize to any wellpointed, locally presentable C with 
exponentials, when R and D are strong. 


In exactly the same way as above, comonoid maps Dy * Dı —> G! are in 
bijection with maps U Do x UD, > G, and C(D1, Gt) S (UD, G)". 

In the rest of this paper, we ignore comonad-comonad interaction laws and 
the internal hom of comonads since they are not our main focus. But develop- 
ments similar to those for monad-comonad interaction laws and the Sweedler 
hom of monads and the Sweedler copower of a monad in Sects. 4, 5) below can 
be carried out for them as well. 
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4 Monad-comonad Interaction Laws (Co)algebraically 


We now return to monad-comonad interaction laws specifically and explain the 
(co)algebraic perspective developed in [33]. (Props. 4 and 6 did not appear in 
[33].) First, monad-comonad interaction laws admit the following useful charac- 
terization in terms of (co)algebras of the (co)monads involved. 


Proposition 3. R-residual monad-comonad interaction laws p of T, D are in 
bijection with functors W : (Coalg(D))°? x Alg(R) > Alg(T) that internal-hom 
carriers, i.e., satisfy 


(Coalg(D))°? x Alg(R) —> Alg(T) 


verxu| jy 


C? x C—C 
Proof (sketch). Given an interaction law w, the functor ¥ is defined by 


W((Y, x), (Z,¢)) = (Y — Z, TY = Z) “> DY = RZ% S Y +z) 


Conversely, given a functor W, the corresponding interaction law w is defined by 


T(ey nf) € 


w= T(Y = Z) ———*+ T(DY — RZ) > DY — RZ 


where (DY — RZ, £) = W((DY, dy), (RZ, pž)). 


We remark that such functors W are completely determined by their action on 
(co)free (co)algebras. To be precise, there is a bijection between these functors 
and functors Y’ : (CoKI(D))°? x KI(R) > Alg(T) that satisfy 


(CoKI(D))°? x KI(R) —> Alg(T) 


KP xi | jy 


cP x C—C 


where K : CoK1(D) — C is the left adjoint of the coKleisli adjunction of D and 
K : KI(R) > C is the right adjoint of the Kleisli adjunction of R. 

The following reformulations of Prop. 1 enable a smooth derivation of further 
characterizations of monad-comonad interaction laws in terms of what we call 
runners, introduced next. 


Corollary 1. R-residual interaction laws of T, D are in bijection with functors 
W : Coalg(D) > [Alg(R), Alg(T)|°? satisfying 


Ww 


Coalg(D) [Alg(R), Alg(7Z’)]°P 


u| Jie, 
(Y= Y —-—)°P [U,C]°P 


C [C, CJP —— [Alg(R), C]°P 
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and also with functors © : Alg(R) > [Coalg(D)°?, Alg(T)] satisfying 


Alg(R) > [(Coalg(D))°?, Alg(7)] 


vl | {ccoaigcoyyr” 0) 
(Z4--0Z) [U°? ,C] 


C —— ~ > [C°P,, C] >. [(Coalg(D))°?, C] 


Stateful Runners 


Say that an R-residual stateful runner of T is an object Y € C together with a 
family of maps 
Ox: TX @®Y > R(X 8Y) 


natural in X satisfying 


Tx ROx 
X@Y XOY TTX &Y ——> R(TX ® Y) —— > RR(X 8Y) 
nxor | Jžer “xer | J“žor 
Ox 9x 
TX 8Y —> R(X @Y) TX @Y R(X @Y) 


Maps (Y,@) > (Y’, 6’) between stateful runners are maps f : Y > Y” satisfying 
R(X & f) o 0x =6% o (TX ® f). Stateful runners form a category SRunp(T). 
R-residual stateful runners of T with carrier Y are in bijection with monad 
maps T —> St;? where Sti? is the R-transformed state monad for state object Y 
defined by Sty!X = Y — R(X & Y). 
They are also in bijection with functors O : Alg(R) > Alg(T) that internal- 
hom Y with the carrier, i.e., satisfy 


Alg(R) —*+ Alg(T) 


vj ts Je 


C—C 
Proof (sketch). Given a stateful runner 0, the functor O is defined by 


Y — Rev Yok 


Y — RZ Y — Z 


O(Z,6) = TW = Z) =% Y — R((Y — Z) 8Y) 
Conversely, given a functor O, the stateful runner @ is 


R 
Tcoev T(Y—n% ) 


Ox = TX 22% T(Y — X @Y) —> TY — R(X @Y)) — >Y — R(X @Y) 


where (Y — R(X 8 Y), £) = O(R(X 8Y), pe gy). 


This observation is strengthened by the following proposition that also talks 
about stateful runner maps. 


Proposition 4. The following is pullback square: 


SRun;(T) > [Alg(R), Alg(T)]°P 
[[Ate(R).07°° 


U 
| (YY ——)°P 
[Alg(R), C]°P 


C ic, CJP [U,C]°P 
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Combining Prop. 4 with Cor. 1, we obtain a characterization of monad- 
comonad interaction laws in terms of stateful runners. 


Proposition 5. R-residual monad-comonad interaction laws T, D are in a bi- 
jection with functors © : Coalg(D) —> SRunpr(T) preserving carriers, i.e., 
satisfying 


Coalg(D) SRunp(T) 


eee «oa 


C 


Continuation-Based Runners 


A D-fuelled continuation-based runner of T is an object Z € C together with a 
family of maps 
0x: D(X = Z)> TX =Z 


natural in X satisfying 


Ox 9x 
D(X —= Z) —>TX =Z D(X = Z) TX =Z 
ex—z | [rx xoz], Jux-z 
Dêx TX 
X — Z = X Z DD(X —= Z) D(TX — Z) TTX = Z 


These runners form a category CRunp(T). 

D-fuelled continuation-based runners of T with carrier Z are in bijection with 
monad maps T —> Cnt? , where Cnty is the D-transformed continuation monad 
for answer object Z defined by Cntz X = D(X — Z) = Z. 

Continuation-based runners are also in bijection with functors © 


(Coalg(D))°? > Alg(T) that internal-hom the carrier with Z, i.e., that sat- 


isfy 
(Coalg(D))® —> Alg(T) 
y P | fe 
ce — 7 -c 
Moreover: 


Proposition 6. The following is a pullback square: 


CRunp(T) [(Coalg(D))™®, Alg(T)] 


v] | [(Coaig(D))°? v 
Ze —- 0 Z [USPC] 


C [C , C] — [(Coalg(D))°?, C] 


Combining this proposition with Cor. 1, we obtain: 


Proposition 7. R-residual monad-comonad interaction laws of T, D are in 
bijection with functors Y : Alg(R) —> CRunp(T) that preserve carriers, i.e., 


that satisfy 


Alg(R) “ 


CRunp(T) 


PS eee 


C 
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5 Combining Sweedler Theory and the (Co)algebraic 
Perspective 


We now combine our (co)algebraic observations with Sweedler theory. 


Sweedler Hom 


By definition, the Sweedler hom between monads T, R, if it exists, is the comonad 
M(T, R) together with an monad-comonad interaction law v such that, for any 
other comonad D and monad-comonad interaction law wv, there exists a unique 
comonad map g : D > M(T, R) satisfying 


Wx, 


nie 


Comonad maps D — D’ are in bijection with functors Coalg(D) —> 
Coalg(D’) that preserve carriers. Therefore, by Prop. 5, the Sweedler hom, 
if it exists, is the comonad M(T, R) together with a carrier-preserving functor 
Y : Coalg(M(T, R)) > SRunp(T) such that, for any other comonad D and 
carrier-preserving functor ¥ : Coalg(D) > SRunp(T), there exists a unique 
carrier-preserving functor I’: Coalg(D) —> Coalg(M(T, R)) such that 


YW 


a 


Coalg(D) -> Coalg(M(T, R)) ———_——> SRunzr(T) 
i N c wee 


It follows that, if (SRunp»(T),U) is strictly comonadic, then M(T, R) exists 
and (Coalg(M(T, R)), U) = (SRung(T),U). (Should (SRunpr(T),U) fail to 
be strictly comonadic, then M(T, R) may still exist, but with different algebras.) 
Easy calculations show that U strictly creates equalizers of U-split pairs. Hence, 
by the dual of Beck’s monadicity theorem, U is strictly comonadic if it is a left 
adjoint. Under our assumptions on C, T and R from Sect. 2, all is well. 


Theorem 1. If C is locally presentable and T and R are accessible mon- 
ads on C, then SRunr(T) is locally presentable and the forgetful functor 
U : SRung(T) > C is a left adjoint. Hence the Sweedler hom M(T, R) ez- 
ists, is accessible, and satisfies (Coalg(M(T, R)),U) = (SRung(T), UV). 


Proof (sketch). We first show that SRunp(T) is locally presentable. The func- 
tor U : SRung(T) > C strictly creates colimits by easy calculations, and hence 
SRuna(T) is cocomplete. For local presentability, it therefore remains to show 
that SRunp(T) is accessible, which we do by appealing to the fact that ac- 
cessible categories are closed under inserters and equifiers. The category of F- 
coalgebras, for any accessible endofunctor F on C, is an inserter of accessible 
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functors, and is therefore accessible by [1, Thm. 2.72]. For each Y, families 
of maps 0x :TX @Y > R(X @Y) natural in X are in bijection with maps 
x: Y —> (T - R)Y, so that R-residual stateful runners of T are equivalently 
coalgebras (Y, x) of the functor T — R, satisfying two equations. One equation 
is an equality between two maps Y —> (Id — R)Y, the other between two maps 
Y > ((T - T) — R)Y. It follows that SRung(T) is isomorphic to a full sub- 
category of the category coalg(T — R) of (T — R)-coalgebras, and that this 
full subcategory is the joint equifier of two natural transformations of accessible 
functors coalg(T — R) —> coalg(Id — R) and of two natural transformations of 
accessible functors coalg(T — R) > coalg((T - T) — R). Accessible categories 
are closed under equifiers of natural transformations of accessible functors [1, 
Lemma 2.76], so SRunp(T) is accessible and hence locally presentable. 

As a colimit-preserving functor between locally presentable categories, U is a 
left adjoint by Freyd’s special adjoint functor theorem, thus strictly comonadic. 
The induced comonad is the Sweedler hom M(T, R). Accessibility of M(T, R) 
follows from accessibility of the adjoints (the right adjoint by |1, Prop. 2.23]). 


Example 3. Let C = Set. Take TX = X°% (the reader monad for state object S). 
R-residual stateful runners of T are objects Y with families of maps X° x Y > 
R(X xY) natural in X or, equivalently, maps Y + R(S x Y) constrained by two 
equations. For R = Id or R = 1+ -, these are in bijection with maps Y > S. The 
comonad with such structured objects Y as coalgebras, which is the Sweedler 
hom of T and R, is DY = S x Y (the coreader monad for S$). For a general 
accessible monad R, the Sweedler hom can be described as a subcomonad of the 
cofree comonad DY = vY’. Y x R(S x Y’). 

Take TX = X* = uX'.X x (1+ X’) (the nonempty list monad with con- 
catenation as multiplication, free semigroup monad). R-residual stateful runners 
of T are objects Y with families of maps Xt x Y > R(X x Y) natural in X 
satisfying two equations or, equivalently, maps (X x X) x Y > R(X x Y) con- 
strained by one equation or, equivalently, maps Y > R(Y + Y) coassociative 
wrt. the coproduct monoidal structure of K1(R), i.e., making Y into a cosemi- 
group. For R = Id, the corresponding comonad is the cofree cosemigroup (wrt. 
the coproduct monoidal structure on Set) comonad. Its underlying functor is 
DY Y x (Y +Y). 

These examples generalize to any wellpointed, locally presentable C with 
exponentials, when R is a strong monad. 


Sweedler Copower 


The Sweedler copower of a monad T by a comonad D, if it exists, is by definition 
the monad D >œ T together with a monad-comonad interaction law v such that, 
for any other monad R and monad-comonad interaction law w, there exists a 
unique monad map g : D œ T > R satisfying 


x,y 


TX ® DY ——> (DpT)(X @Y) => R(X 8Y) 
vx,Y IX@Y 
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Monad maps R’ > R are in bijection with functors Alg(R) > Alg(R’) that 
preserve carriers. Therefore, by Prop. 7, the Sweedler copower, if it exists, is 
the monad D >œ T together with a carrier-preserving functor Y : Alg(D > T) > 
CRunp(T) such that, for any other monad R and carrier-preserving functor 
Ww : Alg(R) > CRunp(T), there exists a unique carrier-preserving functor 
IT’: Alg(R) > Alg(D > T) such that 


y 


Alg(R > Alg(D > T) -a CRunp(T) 


Duw 


Consequently, if (CRunp(T),U) is strictly monadic, then D> T exists and 
(Alg(D >œ T), U) = (CRunp(T), U). This is the case as soon as U is a right ad- 
joint by Beck’s strict monadicity theorem, because U is easily verified to strictly 
create U-split coequalizers. 


Theorem 2. If C is locally presentable and T and D are accessible, then 
CRunp(T) is locally presentable and the forgetful functor U : CRunp(T) > C 
is a right adjoint. Hence the Sweedler copower D œ T exists, is accessible, and 
satisfies (Alg(D > T),U) S (CRunp(T),U). 


Proof (sketch). The proof is similar to that of Thm. 1. The functor U strictly cre- 
ates limits, so CRunp(T) is complete. The category CRunp(T) is isomorphic 
to a full subcategory of the category of algebras of the functor D x T, form- 
ing a joint equifier. Categories of algebras of accessible endofunctors on C are 
inserters of accessible functors, and hence form accessible categories. It follows 
that CRunp(T) is also accessible, and hence locally presentable. The functor 
U strictly creates «-filtered colimits, where « is such that Idx T, Dx T, and 
(D - D)xT are «-accessible; in particular, U is accessible. Since U also strictly 
creates limits, it is therefore a right adjoint by [1, Theorem 1.66]. The induced 
monad is the Sweedler copower D œ T, which is accessible because both adjoints 
are. 


Example 4. Let C = Set. Take TX = M x X where (M,u,*) is a monoid (the 
writer monad) and DY = S xY (the coreader comonad). D-fuelled continuation- 
based runners of T are objects Z with families of maps Sx Z* + ZM** natural 
in X or, equivalently, maps (S x M) x Z + Z, subject to two equations. The 
monad with such structured objects Z as algebras, which is the Sweedler copower 
of T and D, is the writer monad for the free monoid on S x M quotiented by 
(s,a) * (s,b) = (s,a* b) and u = (s, u). 


6 Enriched Interaction Laws 


In Sects. 2, 4, 5 above, we worked with (a full subcategory of) the category [C, C] 
of endofunctors on a SMCC C and natural transformations between them, and 
abstracted it to a duoidal category D in Sect. 3. 
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An alternative is to proceed from an SMCC (Y,1, 8, —) (copowered over 
itself by @ and enriched and powered by —) and another category C that is at 
least copowered or enriched over V, or possibly both or even powered too. In 
this setting, a V-enriched functor-functor interaction law is given by V-enriched 
endofunctors F on V and G and H on C together with either a family of maps 
oxy: FX e GY > H(X e Y) in C that are V-natural in X € V and Y € C or, 
equivalently, a family of maps ġy,z : F(C(Y, Z)) > C(GY, HZ) in V that are 
V-natural in Y, Z € C. 

Two cases are of special interest. 


— V = Set: Then the requirements that the category C, the functors F, G, 
H and the natural transformation ¢ be V-enriched are automatically met, 
but differently from the main setting of this paper, F is an endofunctor on 
a generally different category than G and H. 

— Y = C: Then the requirements that the functors F, G, H and the natural 
transformation ¢ be V-enriched become real restrictions, but F, G, H remain 
endofunctors all on the same category. 


The only case where the enriched setting agrees with the main one of this 
paper of Sects. 2-5, i.e., the concept of interaction law where there are no non- 
vacuous enrichment requirements and the endofunctors involved are all on the 
same category, is the intersection of the above two: V = C = Set. 

A more general situation in which the two settings do not differ too much is 
when V = C and C is monoidally wellpointed. Then all functors with codomain 
C are uniquely C-enriched (but may fail to admit an enrichment) and all natural 
transformations between C-enriched functors with codomain C are C-enriched. 

In the case V = C, which is probably the most interesting case for mathe- 
matical semantics applications, the duoidal abstraction of Sect. 3 still applies. 
We can take D to be (a suitable full subcategory of) C-[C, C], where C-[C, C] is 
the ordinary category of C-functors C — C (strong endofunctors). 

In the case of a general V, the simple duoidal abstraction ceases to apply. We 
need to switch to an action x : W x D > D (in MonCAToplax) of a symmetric 
duoidal category (W, Iw, ow, Jw,*w) on a monoidal category (D,I,o) together 
with a functor — : D°P x D > W such that — xG F G—-— (in CAT). Crucially, 
the action x comes with structural laws 


IwxI >I (F ow G)x (Ho K) > (Fx H)o(GxK) 


witnessing oplaxity of x. Similarly to the simple duoidal situation, we get that 
x and — lift to functors x : Comon(W) x Comon(D) — Comon(D) and 
— : (Comon(D))°? x Mon(D) > Mon(W) and can then define measuring 
maps and Sweedler-like operations and ask if they are everywhere defined. 

The instantiation is given by (suitable full subcategories of) W = V-[V, V], 
D = V-[C, C] and 


(FxG)Z=[**C(XeY,Z)e(FXeGY) =f" F(C °GY 
(G — H) X = fy z(X — C(Y, Z)) — C(GY, HZ) = fyC( -i °Y)) 


where the integral signs now stand for V-enriched coends and ends. 
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Runners as Generalized Algebras 


Enriched monad-comonad interaction laws can be characterized as enriched func- 
tors between categories of (co)algebras analogously to Props. 3, 5, 7. But one 
pleasant feature of the enriched setting is that enriched versions of both state- 
ful and continuation-based runners of T can be described as algebras of T in a 
generalized sense. 

Suppose we are given an SMCC Y (copowered over itself by ® and enriched 
and powered by —) and a V-enriched monad T on V. For a category K that is 
enriched and powered over V, we say that an algebra of T in K as an object Y of 
K together with family of maps xx : X hY > TX mY in K that is V-enriched 
natural in X € Y and satisfies the equations 


XX XK 
X hY —>TX hy X hh Y ——>TX hY 
aSa [oxo xx | [exar 
XTX 
X hY TX h Y ——> TTX Y 


If V has enough limits, then these form a V-category Alg(T,K), and there is a 
forgetful V-functor U : Alg(T,K) — C. (The limits are required to carve out 
the object of algebra maps (Y, x) > (Y’, x’) from the hom-object K(Y, Y’).) 

An algebra like this is equivalently an object Y € K together with a V- 
enriched monad map T — Knty where KntyX = K(X mh Y,Y). If V = K, an 
algebra of T in this sense is the same as an algebra in the standard sense. In this 
case, we have Knty X = (X —= Y) =Y. 

Enriched runners of T turn out to be algebras of T in this generalized sense. 
Given a category C enriched and copowered over V and a V-enriched monad R 
on C, an V-enriched R-residual stateful runner of T is an object Y € C together 
with a family of maps 0x : TX e Y — R(X e Y) in C V-natural in X € V and 
satisfying two equations. Enriched stateful runners of T are in bijection with 
algebras of T in (KI(R))°?. 


Proof (sketch). The statement is wellformed since, as soon as C is V-enriched 
and copowered by a functor è : Y & C > C, we have that K1(R) is V-enriched 
and copowered by a functor V ® KI(R) > KI(R) that agrees with è on objects. 
Therefore (K1(R))°? is V-enriched and powered by the opposite of that functor. 
We have the following chain of bijections: 
TX e Y > R(X èe Y) in C V-nat. in X 
TX eY + X eY in KI(R) V-nat. in X 
X hY 3 TX hY in (KI(R))® V-nat. in X 


The statement about the category of enriched stateful runners is: 


Proposition 8. If Alg(T,(K1(R))°?) exists as a V-category, then so does 
V-SRunpg(T), and the following is a pullback square (in V-CAT). 


V-SRung(T) —> (Alg(T, (K1(R))°?)°P 


| jo” 


C = K1(R) 
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In the special case when V = C and R = Ide, we get (Coalg(M(T, Id), U) = 
((Alg(T, C°P))°P, UP) (“coalgebras” of the C-monad T). 


By the same token, given a V-enriched and powered category C and a V- 
enriched comonad D on C, we can define what an V-enriched D-fuelled contin- 
uation based runner of T is: an object Z € C together with a family of maps 
0x : D(X h Z) > TX M Z in C that is V-natural in X € V and satisfies 
two equations. Enriched continuation-based runners of T are in bijection with 
algebras of T in the coKleisli category of D. Moreover: 


Proposition 9. If Alg(T,CoKI(D)) exists as a V-category, then so does 
V-CRunp(T), and the following is a pullback square: 


V-CRunp(T) —> Alg(T, CoK1(D)) 


vj jv 


C = CoKI(D) 


7 Related Work 


In semantics work, the use of monads as notions of computation was pioneered 
by Moggi [23], but the first to study comonads (or algebraic theories comod- 
elled) as notions of environment (not under that name) were Shkaravska and 
Power [29]. This work was developed further by Plotkin and Power [24] and 
then Mggelberg and Staton [22] (who considered the enriched setting). Stateful 
runners appeared in Uustalu’s paper [32], who noticed that nonresidual stateful 
runners of a set monad induced by an algebraic theory are in bijection with 
coalgebras of the comonad induced by the same theory (comodels). The concept 
of monad-comonad interaction law was distilled by Katsumata et al. [16], who 
also noticed that the universal interacting comonad of a monad is an instance 
of the Sweedler hom from Sweedler theory for duoidal categories; they calcu- 
lated the dual and Sweedler dual for a number of cases. Uustalu and Voorneveld 
[33] noticed the bijection between monad-comonad interaction laws and suit- 
able functors between categories of (co)algebras and that, in addition to stateful 
runners, monad-comonad interaction laws relate to continuation-based runners. 
Garner [12,11] further developed this thread. In particular, he gave a formula 
for the Sweedler duals of polynomial monads, and demonstrated properties of 
the dual/Sweedler dual (costructure/cosemantics) adjunction for accessible Set- 
(co)monads, such as its idempotency. He also pointed out that, when T and 
R are accessible Set-monads, the coalgebras of the Sweedler hom M(T, R) are 
algebras of T in (K1(R))°? with, as maps between them, maps in Set that 
J : Set —> K1(R) sends to algebra maps. 

Independently, and earlier than in the semantics community, monad-comonad 
interaction laws were discovered among functional programmers by Kmett [19] 
and Freeman [8]. 

There is a disconnected and more mature thread of work in universal alge- 
bra started by Freyd [9] (or even Kan [15]), and continued by Tall and Wraith 
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[31,34] and Bergman and Hausknecht [5], studying functors from coalgebras of 
a covariety to algebras (like those of our Prop. 3) in the case V = Set, R = Idc 
of our enriched setting. (There are also textbook expositions, by Popescu and 
Popescu [26, Ch. 3] and Bergman [4, Ch. 10].) Strangely, this thread seems to 
have never been picked up in semantics work. It was not cited in the work by 
Power and coauthors [29,24], and the later authors (except Garner) have been 
unaware of it. 

Sweedler’s original work [30] was for (co)algebras over a field. Anel and Joyal 
[3] studied the Sweedler theory in great detail for dg-(co)algebras [3]. It was 
abstracted for (co)monoids in symmetric monoidal closed categories by Porst 
and Street [28] and Hyland et al. [14] (the internal hom of comonoids is older 
and goes back to Porst [27]) and then generalized for duoidal categories by López 
Franco and Vasilakopoulou [20]. A typical example duoidal structure on a functor 
category is given by the Day convolution and pointwise tensor. Garner and López 
Franco [13] considered the example of composition and the Day convolution of 
endofunctors (K-accessible for a fixed «). 

We do not know the earliest reference to generalized algebras of a monad, 
in particular, coalgebras of a monad. The latter were considered by Poinsot and 
Porst [25] (and models of algebraic theories elsewhere than Set are standard). 


8 Conclusion and Future Work 


We have studied universal (co)monads for monad-comonad interactions. We have 
shown that an elegant setting for such a study on a more general level is pro- 
vided by Sweedler theory for general duoidal categories as developed by López 
Franco and Vasilakopoulou [20]. But for results about monad-comonad inter- 
action specifically it is fruitful to combine it with the (co)algebraic perspective 
on monad-comonad interaction laws [33]. This makes it possible to characterize 
the universal (co)monads defined by Sweedler operations via their categories of 
(co)algebras in terms of different flavors of runners. 

We have witnessed that there is the choice of whether to work with ordinary 
monad-comonad interaction laws or with the enriched version. It remains to 
be seen which option yields a richer or more useful theory. An issue with the 
enriched option is that we know little about accessibility for enriched categories, 
although some studies exist (e.g., [18,6,7]). 

We refrained from discussing it in this paper altogether, but of course one can 
specifically study interaction laws of monads and comonads specified by algebraic 
theories. We intend to do this in a sequel paper. We also plan to explain properly 
the significance for semantics of the constructions of this paper by describing in 
detail how they work on semantics-motivated examples and what this means. 


Acknowledgements We thank Niels Voorneveld for many useful discussions. 
Richard Garner’s work is an endless source of inspiration. D.M. and T.U. were 
supported by the Icelandic Research Fund project grant no. 196323-053, T.U. 
also by the Estonian Research Council team grant no. PRG1210. E.R. was sup- 
ported by the Estonian Research Council personal grant no. PSG659. 


446 


Re 


12. 


13. 


14. 


15. 


16. 


17. 


18. 


19. 


D. McDermott et al. 


ferences 


. Adámek, J., Rosicky, J.: Locally Presentable and Accessible Categories, London 


Math. Soc. Lecture Note Series, vol. 189. Cambridge University Press (1994) 


. Aguiar, M., Mahajan, S.: Monoidal Functors, Species and Hopf Algebras, CRM 


Monograph Series, vol. 29. Amer. Math. Soc. (2010) 
Anel, M., Joyal, A.: Sweedler theory of (co)algebras and the bar-cobar construction. 
arXiv eprint 1309.6952 [math.CT] (2013), https://arxiv.org/abs/1309.6952 


. Bergman, G.M.: An Invitation to General Algebra and Universal Construc- 


tions. Universitext, Springer (2015). https://doi-org/10.1007/978-3-319-11478-1, 
author’s revised version at https://math.berkeley.edu/~gbergman/245/ 
Bergman, G.M., Hausknecht, A.O.: Cogroups and Co-rings in Categories of Asso- 
ciative Rings, AMS Mathematical Surveys and Monographs, vol. 45. Amer. Math. 
Soc. (1996) 

Bird, G.J.: Limits in 2-Categories of Locally-Presented Categories. Ph.D. thesis, 
University of Sydney (1984) 

Borceux, F., Quinteiro, C.: Enriched accessible categories. Bull. Austral. Math. 
Soc. 54, 489-501 (1996). https: //doi.org/10.1017/s0004972700021900 

Freeman, P.: Comonads as spaces (a series of blog posts) (2016), https://blog. 
functorial.com/posts/2016-08-07-Comonads- As-Spaces. html 

Freyd, P.: Algebra valued functors in general and tensor products in particular. 
Coll. Math. 14(1), 89-106 (1966). https: //doi.org/10.4064/cm-14-1-89-106 


. Garner, R.: Understanding the small object argument. Appl. Categ. Struct. 17(3), 


247-285 (2009). https://doi.org/10.1007/s10485-008-9137-4 


. Garner, R.: Stream processors and comodels. In: Gadducci, F., Silva, A. (eds.) 


Proc. of 9th Conf. on Algebra and Coalgebra in Computer Science, CALCO 2021 
(Salzburg, Aug./Sept. 2021), Leibniz Int. Proc. in Informatics, vol. 211, pp. 15:1- 
15:17. Dagstuhl Publishing (2021). https://doi.org/10.4230/lipics.calco.2021.15 
Garner, R.: The  costructure-cosemantics adjunction for comodels 
for computational effects. Math. Struct. Comput. Sci. (to appear). 
https://doi.org/10.1017/s0960129521000219 

Garner, R., López Franco, I.: Commutativity. J. Pure Appl. Algebra 204(2), 1707- 
1751 (2016). https: //doi.org/10.1016/j.jpaa.2015.09.003 

Hyland, M., López Franco, I., Vasilakopoulou, C.: Hopf measuring comonoids 
and enrichment. Proc. London Math. Soc. 115(3), 1118-1148 (2017). 
https://doi.org/10.1112/plms.12064 

Kan, D.M.: On monoids and their dual. Bol. Soc. Mat. Mexicana, Ser. 2 3, 52-61 
(1958) 

Katsumata, S., Rivas, E., Uustalu, T.: Interaction laws of monads and 
comonads. In: Proc. of 35th Ann. ACM/IEEE Symp. on Logic in Com- 
puter Science, LICS 2020 (Saarbrücken, July 2020), pp. 604-618. ACM (2020). 
https: //doi.org/10.1145/3373718.3394808 

Kelly, G.M.: Basic Concepts of Enriched Category Theory, London Math. Soc. 
Lecture Note Series, vol. 64. Cambridge University Press (1982), reprinted (2005) 
as: Reprints in Theory and Applications of Categories 10, http://www.tac.mta.ca/ 
tac/reprints/articles/10/tr10abs.html 

Kelly, M.G.: Structures defined by finite limits in the enriched context, I. Cahiers 
Topol. Géom. Différentielle Catégoriques 23(1), 3-42 (1982) 

Kmett, E.: Monads from comonads (a series of blog posts) (2011), http://comonad. 
com/reader /2011/monads-from-comonads/ 


20. 


21. 


22. 


23. 


24. 


25. 


26. 


27. 


28. 


29. 


30. 


31. 


32. 


33. 


34. 


Sweedler Theory of Monads 447 


López Franco, I., Vasilakopoulou, C.: Duoidal categories, measuring comonoids 
and enrichment. arXiv eprint 2005.01340 [math.CT] (2020), https://arxiv.org/abs/ 
2005.01340 

Makkai, M., Paré, R.: Accessible Categories: The Foundations of Categorical Model 
Theory: The Foundations of Categorical Model Theory, Contemporary Mathemat- 
ics, vol. 104. Amer. Math. Soc. (1989) 

Møgelberg, R.E., Staton, S.: Linear usage of state. Log. Methods Comput. Sci. 
10(1) (2014). https://doi.org/10.2168/Imcs-10(1:17)2014 

Moggi, E.: Computational lambda-calculus and monads. In: Proc. of 4th Ann. 
Symp. on Logic in Computer Science, LICS ’89, pp. 14-23. IEEE Press (1989). 
https://doi.org/10.1109/lics.1989.39155 

Plotkin, G., Power, J.: Tensors of comodels and models for operational 
semantics. Electron. Notes Theor. Comput. Sci. 218, 295-311 (2008). 
https: //doi.org/10.1016/j.entcs.2008.10.018 

Poinsot, L., Porst, H.E.: Internal coalgebras in cocomplete categories: Generaliz- 
ing the Eilenberg-Watts theorem. J. Algebra Appl. 20(9), art. 2510165 (2021). 
https: //doi.org/10.1142/s0219498821501656 

Popescu, N., Popescu, L.: Theory of Categories. Editura Academiei / Sijthoff & 
Noordhoff Int. Publishers (1979) 

Porst, H.E.: On categories of monoids, comonoids, and bimonoids. Quaest. Math. 
31(2), 127-139 (2008). https://doi.org/10.2989/qm.2008.31.2.2.474 

Porst, H.E., Street, R.: Generalizations of the Sweedler dual. Appl. Categ. Struct. 
24, 619-647 (2016). https: //doi.org/10.1007/s10485-016-9450-2 

Power, J., Shkaravska, O.: From comodels to coalgebras: State and 
arrays. Electron. Notes Theor. Comput. Sci. 106, 297-314 (2004). 
https: //doi.org/10.1016/j.entcs.2004.02.041 

Sweedler, M.E.: Hopf Algebras. Math. Lecture Note Series, W. A. Benjamin (1969) 
Tall, D.O., Wraith, G.C.:  Representable functors and operations 
on rings. Proc. London Math. Soc., Ser. 3 20(4), 619-643 (1970). 
https: //doi.org/10.1112/plms/s3-20.4.619 

Uustalu, T.: Stateful runners for effectful computations. Electron. Notes Theor. 
Comput. Sci. 319, 403-421 (2015). https://doi.org/10.1016/j.entcs.2015.12.024 
Uustalu, T., Voorneveld, N.: Algebraic and coalgebraic perspectives on interaction 
laws. In: d. S. Oliveira, B.C. (ed.) Proc. of 18th Asian Symp. on Programming Lan- 
guages and Systems, APLAS 2020 (Fukuoka, Nov./Dec. 2020), Lect. Notes Com- 
put. Sci., vol. 12470, pp. 186-205. Springer (2020). https: //doi.org/10.1007/978-3- 
030-64437-6_10 

Wraith, G.C.: Algebraic Theories (Lectures Autumn 1969, Revised Version of 
Notes), Lecture Note Series, vol. 22. Aarhus Universitet, Matematisk Institut 
(1975) 


448 D. McDermott et al. 


Open Access This chapter is licensed under the terms of the Creative Commons 
Attribution 4.0 International License (http: //creativecommons.org/licenses/by/4.0/), 
which permits use, sharing, adaptation, distribution and reproduction in any medium 
or format, as long as you give appropriate credit to the original author(s) and the 
source, provide a link to the Creative Commons license and indicate if changes were 
made. 

The images or other third party material in this chapter are included in the chapter’s 
Creative Commons license, unless indicated otherwise in a credit line to the material. If 
material is not included in the chapter’s Creative Commons license and your intended 
use is not permitted by statutory regulation or exceeds the permitted use, you will need 
to obtain permission directly from the copyright holder. 


Model Checking Temporal Properties of 
Recursive Probabilistic Programs 


Tobias Winkler“ ©, Christina Gehnen®, and Joost-Pieter Katoen® 


RWTH Aachen University, Aachen, Germany 
{tobias.winkler,katoen}@cs.rwth-aachen.de 
christina. gehnen@rwth-aachen.de 


Abstract. Probabilistic pushdown automata (pPDA) are a standard 
operational model for programming languages involving discrete ran- 
dom choices, procedures, and returns. Temporal properties are useful for 
gaining insight into the chronological order of events during program 
execution. Existing approaches in the literature have focused mostly on 
w-regular and LTL properties. In this paper, we study the model check- 
ing problem of pPDA against w-visibly pushdown languages that can 
be described by specification logics such as CaRet and are strictly more 
expressive than w-regular properties. With these logical formulae, it is 
possible to specify properties that explicitly take the structured com- 
putations arising from procedural programs into account. For example, 
CaRet is able to match procedure calls with their corresponding future 
returns, and thus allows to express fundamental program properties like 
total and partial correctness. 


Keywords: Probabilistic Recursive Programs - Model Checking - Prob- 
abilistic Pushdown Automata - Visibly Pushdown Languages - CaRet. 


1 Introduction 


Probabilistic programs extend traditional programs with the ability to flip coins 
or, more generally, sample values from probability distributions. These programs 
can be used to encode randomized algorithms and randomized mechanisms in 
security [7] in a natural way. The interest in probabilistic programs has signif- 
icantly increased in recent years. To a large extent, this is due to the search 
in AI for more expressive and succinct languages than probabilistic graphical 
models for Bayesian inference [17]. Probabilistic programs have many applica- 
tions [24]. They are used in, amongst others, machine learning, systems biology, 
security, planning and control, quantum computing, and software—defined net- 
works. Probabilistic variants of many programming languages exist. 

Procedural programs allow for declaration of procedures—small independent 
code blocks—and the ability to call procedures from one another, possibly in 
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proc void infect Young() { proc bool infectElder() { 
y = uniform(0, 3) y := uniform(0, 1) 
repeat y times { repeat y times { 
infectYoung() } infectYoung() } 
e := uniform(0, 2) e := uniform(0, 4) 
repeat e times { repeat e times { 
f = infectElder() } infectElder() } 
return } f = bernoulli(0.01); return f } 


Fig. 1. Recursive probabilistic program modeling the outbreak of an infectious disease. 
uniform(a, b) stands for the discrete uniform distribution on [a, b]. 


a recursive fashion. Most common programming languages such as C, Python, 
or Java support procedures. It is thus not surprising that recursion is a key in- 
gredient in many modern probabilistic programming languages (PPL). In fact, 
many early approaches to extend Bayesian networks focused on incorporating 
recursion [26,19,11,27]. Randomized algorithms such as Hoare’s quicksort with 
random pivot selection can be straightforwardly programmed using recursion. 
Recursion is also a first-class citizen in modeling rule-based dependencies be- 
tween molecules or populations in systems biology (e.g., modeling reproduction). 

This paper studies the automated verification of 
probabilistic pushdown automata [14] (pPDA) as an | Y E 
explicit-state operational model of procedural proba- Y 1.5 1 
bilistic programs against temporal specifications. As a E 0.5 2 
motivating example, let us consider a simple epidemio- 
logical model for the outbreak of an infectious disease Fig. 2. Example infec- 
in a large population where the number of susceptible tion rates by age groups. 
individuals can be assumed to be infinite. Our example 
model distinguishes young and elderly persons. Each affected individual infects 
a uniformly distributed number of others, with varying rates (expected values) 
according to the age groups (Figure 2). The fatality rate for infected elderly and 
young persons is 1% and 0%, respectively. Initially, we assume there is a single in- 
fected young person, i.e., the overall program is started by calling infect Young(). 
It is an easy task for any working programmer to specify this model as a dis- 
crete probabilistic program with mutually recursive procedures (Figure 1). Note 
that this program can be easily amended to more realistic models involving, e.g., 
more age or gender groups, other distributions, hospitalization rate, etc. 

The operational behavior of programs such as the one in Figure 1 can be 
naturally described by pPDA. The technical details of such a translation are 
beyond the scope of this paper but let us provide some intuition (more details can 
be found e.g. in [2]). Roughly, the local states of the procedures—the valuation of 
the local variables and the position of the program counter—constitute both the 
state space and the stack alphabet of the automaton. Procedure calls correspond 
to push transitions in the automaton in such a way that the program’s procedure 
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stack is simulated by the automaton’s pushdown stack, i.e., the current local 
state is saved on top of the stack. Accordingly, returning from a procedure 
corresponds to taking a pop transition in order to restore the local state of the 
caller. Returning a value can be handled similarly. Clearly, if the reachable local 
state spaces of the involved procedures are finite, then the resulting automaton 
will be finite as well. 

A number of relevant questions such as “Will the virus eventually become 
extinct?” (termination probability) or “What is the expected number of fatali- 
ties?” (expected costs) can be decided on finite pPDA (see [9] for a survey). In 
this work, we focus on temporal properties, e.g., questions that involve reasoning 
about the chronological order of certain events of interest during the epidemic. 
An example are chains of infection: For instance, we might ask 


What is the probability that eventually a young person with only young 
persons in their chain of infection passes the virus on to an elderly person 
who then dies? 


On the level of the program in Figure 1, this corresponds to the probability 
of reaching a global program configuration where the call stack only contains 
infect Young() invocations and during execution of the current infect Young(), 
the local variable f is eventually set to true. This requires reasoning about the 
nestings of calls and returns of a computation. In fact, in order to decide if 
f = true in the current procedure, we must “skip” over all calls within it and 
only consider their local return values. This requirement and many others can 
be rather naturally expressed in the logic CaRet [3], an extension of LTL: 


09 (O py A py A Of). 


Here, py is an atomic proposition that holds at states which correspond to being 
in procedure infect Young, and f indicates that f = true. Intuitively, the above 
formula states that eventually (outer 0%), the computation reaches a (global) 
state where only infect Young is on the call stack and the current procedure is 
infect Young as well (OT py ^ py), and moreover the local—aka abstract—path 
within in the current procedure reaches a state where f is true (O*f). Such 
properties are in general context-free but not always regular and thus cannot be 
expressed in LTL [3]. 


Technical Contribution. We are given a (finite) pPDA A and a CaRet formula 
y and we are interested in determining the probability that a random trajec- 
tory of A satisfies y. In order for this problem to be decidable [13], we need to 
impose a mild visibility restriction on A, yielding a probabilistic visibly push- 
down automaton (pVPA). Just like several previous works on model checking 
pPDA against w-regular specifications [14,10,21], we follow the automata-based 
approach (see Figure 3). More specifically, we first translate y into an equiva- 
lent non-deterministic Büchi visibly pushdown automaton [4] (VPA) A and then 
determinize it using a result of [22]. The resulting DVPA D uses a so-called 
stair-parity [22] acceptance condition that is strictly more expressive than stan- 
dard parity or Muller DVPA [4]. Stair-parity differs from usual parity in that 
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Fig. 3. Chain of reductions used in this paper. ETR stands for existential theory of the 
reals, i.e., the existentially quantified fragment of the FO-theory over (R, +,-, <). 


it only considers certain positions—called steps [22]—of an infinite word where 
the stack height never decreases again. We then construct a standard product 
Ax D. Here, the visibility conditions ensure that the automata synchronize their 
stack actions, yielding a product automaton that uses a single stack instead of 
two independent ones, which would lead to undecidability [13]. Finally, we are 
left with computing a stair-parity acceptance probability in the product, which 
is itself a pPDA. This is achieved by constructing a specific finite Markov chain 
associated to A x D, called step chain in this paper. Intuitively, the step chain 
jumps from one step of a run to the next, and therefore we only need to evalu- 
ate standard parity rather than stair-parity on the step chain. The idea of step 
chains is due to [14] where they were used to show decidability against deter- 
ministic non-pushdown Biichi automata. For constructing the step chain, certain 
termination probabilities of the pPDA need to be computed. These are in general 
algebraic numbers that cannot always be expressed by radicals [16], let alone by 
rationals. However, the relevant problems are still decidable via an encoding in 
the existential fragment of the FO-theory of the reals (ETR) [21]. 

The resulting main contributions of this paper are complexity results, sum- 
marized in Figure 4, and algorithms for quantitative model checking of pPDA 
against w-VPL given in terms of either deterministic automata, non-deterministic 
automata, or as CaRet formulae. As common in the literature, we consider the 
special case of qualitative, or almost-sure (a.-s.), model checking separately. To 
the best of our knowledge, none of these problems was known to be decidable be- 
fore. The work of [13] proved decidability of model checking against deterministic 
Muller VPA which capture a strict subset of the CaRet-definable languages [4]. 
As a lemma of independent interest, we show that the step chain can be used for 
checking all kinds of measurable properties defined on steps, even beyond parity. 


Related work. We have already mentioned various works on recursion in prob- 
abilistic graphical models (and PPL) as well as on verifying pPDA and the 
equivalent model of recursive Markov chains [16]. The analysis of these models 
focuses on reachability probabilities, w-regular properties or (fragments of) prob- 
abilistic CTL, expected costs, and termination probabilities. The computation 
of termination probabilities in recursive Markov chains and variations thereof 
with non-determinism is supported by the software tool PReMo [29]. Our pa- 
per can be seen as a natural extension from checking pPDA against w-regular 
properties to w-visibly pushdown languages. In contrast to these algorithmic ap- 
proaches, various deductive reasoning methods have been developed for recursive 
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w-VPL given in terms of ... qualitative quantitative 
Deterministic stair-parity VPA [Theorem 3] in PSPACE in PSPACE 
Non-deterministic Biichi VPA [Theorem 4] EXPTIME-compl. in EXPSPACE 


CaRet formula [Theorem 5] in 2EXPTIME in 2EXPSPACE 


Fig. 4. Complexity results of this paper. 


probabilistic programs. Proof rules for recursion were first provided in [20], and 
later extended to proof rules in a weakest-precondition reasoning style [23,25]. 
Olmedo et al. [25] also address the connection to pPDA and provide proof rules 
for expected run-time analysis. A mechanized method for proving properties 
of randomized algorithms, including recursive ones, for the Coq proof assistant 
is presented in [5]. The Coq approach is based on higher-order logic using a 
monadic interpretation of programs as probabilistic distributions. 


Organization. We review the basics about VPA and CaRet in Section 2. Section 3 
introduces probabilistic visibly pushdown automata (pVPA). The stair-parity 
DVPA model checking procedure is presented in Section 4, and the results for 
Biichi VPA and CaRet in Section 5. We conclude the paper in Section 6. 


2 Visibly Pushdown Languages 


We fix some general notation for words first. Given a non-empty alphabet X, let 
+” be the set of finite words (this includes the empty word e€), and let ©” be the 
set of infinite words over X. For i > 0, the i-th symbol of a word w € X* U X*” 
is denoted w(i) if it exists. |w| denotes the length of w. 


2.1 Visibly Pushdown Automata 


A finite alphabet X is called a pushdown alphabet if it is equipped with a partition 
X = Xal Y Lint Y Xret into three—possibly empty—subsets of call, internal, 
and return symbols. A visibly pushdown automaton [4] (VPA) over X is like 
a standard pushdown automaton with the additional syntactic restriction that 
reading a call or return symbol triggers a push or a pop transition, respectively. 
Reading an internal symbol, on the other hand, does not affect the stack at all. 


Definition 1 (VPA [4]). Let X be a pushdown alphabet. A visibly pushdown 
automaton (VPA) over X is a tuple A = (S, so, T, L, 6, X) with S a finite set 
of states, so E S an initial state, I’ a finite stack alphabet, L € I a special 
bottom-of-stack symbol, and 6 = (Scal, Sint; Oret) a triple of relations 


eall Cc (S x Seat) x (Sx I.) ; Oint Cc (Sx Lint) x S , Sret C (Sx Sret XL) x S$ 


454 T. Winkler, C. Gehnen, J.-P. Katoen 


where Li =T \ {L}. For s,t € S, Z € T, anda € X, we use the shorthand 
notations s > tZ, s Š t, sZ Š t to indicate that there exist transitions 
(s,a,t,Z) € dca, (s,a,t) E€ dint, (5,0, Z,t) © Oret, respectively. Note that e.g. 
s “> tZ implies implicitly that a € Xea and Z Æ L, and similar for internal 
and return transitions. Intuitively, call transitions push a new symbol Z onto 
the stack, internal transitions ignore the stack, and return transitions pop the 
topmost symbol Z from the stack (unless Z = L, in which case nothing is 
popped). A configuration of VPA A is a tuple (s,y) € S x I*, written more 
succinctly as sy in the sequel. Let w € X“ be an infinite input word. An infinite 
sequence p = S00, $171 --- of configurations is called a run of A on w if soyo = 
SoL and for all i > 0, exactly one of the following cases applies: 

— w(t) E€ Sean and ¥:41 = YZ for some Z € I, such that s; 2), 84412; OF 

— w(t) E€ Line and y41 = Yi and si = Si41; OF 

— w(t) © Xret and y41Z = yi for some Z € I, such that s;Z 2O, Si+1, OF 

w(i) 
Yi = Yi+1 = L and Sil —> Si41- 
A Bichi acceptance condition for A is a subset F C S. A VPA equipped with 

a Biichi condition is called a Btichi VPA. An infinite word w € X*® is accepted 
by a Biichi VPA if there exists a run soo, $171,--- of A on w such that s; € F 
for infinitely many i > 0. The w-language of words accepted by a Biichi VPA A 
is denoted L(A) C XY. 


Definition 2 (w-VPL [4]). Let X be a pushdown alphabet. L C X™ is an 
w-visibly pushdown language (w-VPL) if L = L(A) for a Büchi VPA A over X. 


A VPA is deterministic (DVPA) if it has exactly one run on each input word. 
In this case, call, Sint; and ret can be viewed as (total) functions. As for standard 
NBA, the class of languages recognized by Biichi DVPA is a strict subset of 
the languages recognized by non-deterministic Büchi VPA. Unlike in the non- 
pushdown case, DVPA with Muller or parity conditions are also strictly less 
expressive than non-deterministic Biichi VPA [4]. A deterministic automaton 
model for w-VPL was given in [22]. It uses a so-called stair-parity acceptance 
condition which is the topic of the next subsection. 


2.2 Steps and Stair-parity Conditions 


Let us fix a pushdown alphabet X and a VPA A over X. Consider a run p = 
S00, S171, --- of A on an infinite word w € X“. We define the stack height of the 
i-th configuration as sh(p(i)) = |y;| — 1 (the bottom symbol L does not count 
to the stack height). The stair-parity condition relies on the notion of steps: 


Definition 3 (Step). Let p be a run of A. Position i > 0 is a step of p if 


Vn Zi:  sh(p(n)) 2 sh(p(i)) . 
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Fig. 5. Left: An example VPA (in fact, a DVPA) with I’ = { Z, L } over input alphabet 
X ={c}w{r}w {r}. Transitions labeled c, Z are call transitions which push Z on 
the stack, the transitions labeled with 7 are internal ones that ignore the stack, and 
those labeled Z,r and L,r are return transitions that are only enabled if Z (L, resp.) 
is on top of the stack; when executing Z,r we also pop Z from the stack. However, the 
special bottom-of-stack symbol L can never be popped (see e.g. pos. 1). Right: The 


unique run of the DVPA on input word tretrerce?r?c’r®.... Steps are underlined. 


Abusing terminology, we may also refer to the configurations at the step positions 
of a run as steps. 


Example 1. Figure 5 depicts a DVPA and the initial fragment of its unique run 
p on the input word rrerterc’r*c?r?.... The step positions are underlined, 
i.e., positions 0-5, 7, 11, and 17 are steps. Note that if p(i) = sL for some s € S 


then 7 is a step, i.e., bottom configurations are always steps. 


Steps play a central role in the rest of the paper. We therefore explain some 
of their fundamental properties. 


— If positions i < j are adjacent steps, then sh(p(j)) — sh(p(i)) € {0,1}, i.e., 
the stack height from one step to the next increases by either zero or one. 
More precisely, if the symbol at step position 7 is internal (e.g. i = 0,3,4 
in Figure 5) or a return (e.g. i = 1) then the next step is simply the next 
configuration j = i + 1 and the stack height does not increase. If the symbol 
at position i is a call, then one of two cases occurs: Either the call has 
no matching future return (e.g. i = 2); in this case, the next step is the 
next configuration j = i + 1. Otherwise the call is eventually matched (e.g. 
i = 5,7,11) and the next step j > i+ 1 occurs after the corresponding 
matching return is read and has the same stack height. 

— Each infinite run has infinitely many steps since the above discussion also 
implies that each step has a successor. Notice though that the difference be- 
tween two adjacent step positions may grow unboundedly as in the example. 

— As a consequence, the stack height at the steps either grows unboundedly or 
eventually stabilizes (the latter occurs in Figure 5). 


Remark 1. One can also define the steps of a word w € X'” as the positions where 
a run of any arbitrary VPA on w has a step. Due to the visibility restriction, 
the actual behaviour of the VPA does not influence the step positions [22]. In 
other words, the step positions are predetermined by the input word. Thus, we 
can also speak of the stack height sh(w(i)) of word w at position i. 
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We need one last notion before defining stair-parity. The footprint of an 
infinite run p = s00, $171,--- is the infinite sequence Pl steps = Sno Sn, ++. E S” 
where for all i > 0 the position n; is the i-th step of p. Phrased differently, 
P} Steps 18 the projection of the run p onto the states occurring at its steps. For 
the example run in Figure 5 (right), 01 steps = 5051515057. 


Definition 4 (Stair-parity [22]). Let A be a VPA over pushdown alphabet 
X. A stair-parity acceptance condition for A is defined in terms of a priority 
function N: S 4 No. i.e. A word w E€ &” is accepted if A has a run p on w s.t. 


> 


min { k E€ No | Ji: 2( pl steps (*) ) a k} 
is even. The language accepted by A is denoted L(A). 


Example 2. The DVPA in Figure 5 with (sg) = 1 and (sı) = 2 accepts 


Cepia = {U E E” | JB > 0, Ji > 0: sh(w(i)) < B}, 


the language of repeatedly bounded words [22], i.e., words whose stack height (cf. 
Remark 1) is infinitely often at most a constant B. It is known that Lrepbda is 
not expressible by DVPA with usual parity conditions [4]. 


Theorem 1 ([22, Thm. 1]). For every non-deterministic Büchi VPA A there 
exists a deterministic stair-parity DVPA D with 20(1S1°) states such that L(A) = 
L(D). Moreover, D can be constructed in exponential time in the size of A. 


It was also shown in [22] that stair-parity DVPA characterize exactly the class of 
w-VPL (and are thus not more expressive than non-deterministic Biichi VPA). 


2.3 CaRet, a Temporal Logic of Calls and Returns 


Specifying requirements directly in terms of automata is tedious in practice. 
CaRet [3] is an extension of Linear Temporal Logic (LTL) that can be used to 
describe w-VPL. Its syntax is defined as follows: 


Definition 5 (CaRet [3]). Let AP be a finite set of atomic propositions. The 
logic CaRet adheres to the grammar 


y= pl yve |y | O%¢ | pwp | O'y | pup | OY | pug, 


where p € AP U { call, int, ret }. 


Other common modalities such as 4° and O? for b € {g,a,—} are defined as 
usual via Q? = trueU? p, and Oy = =O°ny. We briefly explain the seman- 
tics of CaRet, the formal definition can be found in [3] or the full version [28]. 
We assume familiarity with LTL. CaRet formulae are interpreted over infinite 
words from the pushdown alphabet X = 24” x { call, int, ret}. O9 and U9 are 
the standard next and until modalities from LTL (called global next and until 
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y #0 


Fig.6. CaRet’s various next modalities applied to the initial fragment of an example 
word. Call, internal, and return positions are depicted as boxes, circles, and rhombs, 
resp. Note that ©* of position 3 is undefined because O7 is a return. 


in CaRet). CaRet extends LTL by two key operators, the caller modality O7 
and the abstract successor ()*, see Figure 6. The former is a past modality that 
refers to the position of the last pending call. For internal and return symbols, 
the abstract successor Q)! behaves like OY unless the latter is a return, in which 
case O°“ is undefined (e.g. pos. 3 in the example). On the other hand, the ab- 
stract successor of a call symbol is its matching return if it exists, or undefined 
otherwise. The until modalities U7 and U® are defined over the paths induced 
by the callers and abstract successors, respectively. Note that the caller path 
is always finite and the abstract path can be either finite or infinite. A prime 
application of CaRet is to state Hoare-like total correctness of a procedure F [3]: 


total = S(call A pA pr > O'q) 


where p and q are atomic propositions that hold at the states where the pre- and 
post-condition is satisfied, respectively, and pr is an atomic proposition marking 
the calls to F. Another example is the language of repeatedly bounded words 
from Example 2; it is Lreppaa = £(O909 (call > Ofret)). Further examples are 
given in [3]. The language defined by a CaRet formula y is denoted L(y). 


Theorem 2 ([1, Thm. 5.1]). CaRet-definable languages are w- VPL: For each 
CaRet formula p there exists a (non-deterministic) Btichi VPA A such that 
L(y) = L(A), and A can be constructed in time 20 (l7), 


The above theorem is well-known in the literature [1,2] even though it is usually 
stated for Nested Word Automata (NWA) which are equivalent to VPA, and 
it is more common to state a space bound on A rather than a time bound 
for the construction. The theorem also applies to more expressive extensions of 
CaRet [1] which we do not consider here for the sake of simplicity. 


3 Probabilistic Visibly Pushdown Automata 


As explained in the introductory section, we employ probabilistic pushdown au- 
tomata [14] (pPDA) as an operational model for procedural probabilistic pro- 
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grams. pPDA thus play a fundamentally different role in this paper than VPA 
(cf. Definition 1): While the former are used to model the system, the latter en- 
code the specification. Consequently, our pPDA do not read an input word like 
VPA do, but instead take their transitions randomly, according to fixed probabil- 
ity distributions. In this way, they define a probability space over their possible 
traces, i.e., runs projected on their labeling sequence. These traces constitute the 
input words of the VPA. In order for the model checking problems to be decid- 
able [13], a syntactic visibility restriction related—but not exactly analogous—to 
the one required by VPA needs to be imposed on pPDA. In a nutshell, the con- 
dition is that each state only has outgoing transitions of one type, i.e., push, 
internal, or pop. This means that the stack operation is visible in the states 
(recall that for VPA, the stack operation is visible in the input symbol). This 
restriction is not severe in the context of modeling programs (see Remark 2 fur- 
ther below) and leads to our notion of probabilistic visibly pushdown automata 
(pVPA) which we now define formally. 

Given a finite set X, we write D(X) = { f: X — [0,1] | Sicex f(a) = 1} 
for the set of probability distributions on X. 


Definition 6 (pVPA). A probabilistic visibly pushdown automaton (pVPA) 
is a tuple A = (Q, qo, T, L, P, X, A) where Q is a finite set of states partitioned 
into Q = Qal Qint YQret, qo E Q is an initial state, I" is a finite stack alphabet, 
L €T is a special bottom-of-stack symbol, P = (Pean, Pint, Pret) is a triple of 
functions with signature 


Prat: Qeall = D(Q x r) ; Pint: Qint > D(Q) 3 Pret: Qret xT D(Q) ; 


X = Xea Y Xin Y X ret is a pushdown alphabet, and à: Q > X is a state labeling 
function consistent with the visibility condition, i.e., for all type € {call, int, ret} 
and all q € Q, we have that q E Qtype iff Alq) E Xtype- 


Intuitively, the behavior of a pVPA A is as follows. If the current state q is a call 
state, then the probability distribution P.a(q) determines a random successor 
state and stack symbol to be pushed on the stack (L cannot be pushed). Simi- 
larly, if the current state is internal, then Pmt(q) is the distribution over possible 
successor states and the stack is ignored completely. Lastly, if the current state is 
a return state and symbol Z € T is on top of the stack, then Pret(g, Z) once again 
determines the probability distribution of successor states, and additionally Z 
is removed from the stack. Similar to VPA, the bottom symbol L is the only 
exception to this rule, it can never be removed. Thus, pVPA are a generalization 
of labeled Markov chains, which correspond to the special case Q = Qint. 

We now define the semantics of pVPA more formally. For q,r € Q, Z € T and 
p > 0 we use the shorthand notations q > rZ, q & r, and qZ * r to indicate 
that Pea(q)(7, Z) = p, Pint(q)(r) = p, and Pret (¢g, Z)(r) = p, respectively. As for 
VPA, a configuration of a pVPA is an element qy € Q x I’*. An (infinite) run of 
a pVPA is a sequence of configurations p = qoo, 4171, --- Such that qoyo = gol 
and for all i > 0 we have that either 


1. qi € Qa Yi+ı = VZ for some Z € I, and q; È qi+1Z; 
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2. qi € Qin, Yi+1 = Vi and qi P> G41; oF 
p 
3. qi © Qret;, Yi+1Z = Ji for some Z € I. and q@Z => qi+1, Or Vi41 = Yi and 
gl & qi+ı (because the bottom symbol L is never popped). 


Note that our pVPA only produce infinite runs and do not simply “terminate” 
upon reaching the empty stack as in e.g. [14]. In fact, in our case the stack 
cannot be empty due to the special bottom symbol L that can never be popped. 
We have chosen to avoid finite pVPA runs for compatibility with CaRet which 
describes w-languages per definition. Nonetheless, terminating behavior can be 
easily simulated in our framework by moving to a dedicated sink state once the 
pVPA attempts to pop L for the first time. 

The set of all runs of a pVPA A is denoted Runs. We extend A’s labeling 
function A to runs p € Runs, by applying it to each state along p individually, 
yielding a word A(p) € ©”. Steps of pVPA runs are defined as in Definition 3. 
An example pVPA and its possible runs are depicted in Figure 7 on page 14. 

We can view the set of all configurations Q x I’* as the (infinite) state space 
of a discrete-time Markov chain. In this way, we obtain a probability space 
(Runsa,F,P) via the usual cylinder set construction [6, Ch. 10]. 


Remark 2. The visibility restriction of our pVPA is slightly different from the 
definition given in [13] which requires all incoming transitions to a state to be of 
the same type, i.e., call, internal, or return. Our definition, on the other hand, im- 
poses the same requirement on the states’ outgoing transitions. We believe that 
our condition is more natural for pVPA obtained from procedural programs, 
such as the one in Figure 1. In fact, programs where randomness is restricted 
to internal statements such as x := bernoulli(0.5) or x := uniform(0,3) nat- 
urally comply with our visibility condition because all call and return states of 
such programs are deterministic and thus cannot violate visibility. However, the 
alternative condition of [13] is not necessarily fulfilled for such programs. 


We can now formally state our main problem of interest: 


Definition 7 (Probabilistic CaRet Model Checking). Let AP be a finite 
set of atomic propositions, y be a CaRet formula over AP, A be a pVPA with 
labels from the pushdown alphabet X = 24P x {call,int, ret}, and 0 € [0,1] 0 Q. 
The quantitative CaRet Model Checking problem is to decide whether 


P({p€ Runsa | ACP) E L(y) }) 22 0. 


The qualitative CaRet Model Checking problem is the special case where 0 = 1. 
The probabilities in Definition 7 are well-defined as w-VPL are measurable [22]. 


4 Model Checking against Stair-parity DVPA 


In this section, we show that model checking pVPA (Definition 6) against VPL 
given in terms of a stair-parity DVPA (Definition 4) is decidable. This is achieved 
by first computing an automata-theoretic product of the pVPA and the DVPA 
and then evaluating the acceptance condition in the product automaton. 
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4.1 Products of Visibly Pushdown Automata 


In general, pushdown automata are not closed under taking products as this 
would require two independent stacks. However, the visibility conditions on VPA 
and pVPA ensure that their product is again an automaton with just a single 
stack because the stack operations (push, nop, or pop) are forced to synchronize. 

We now define the product formally. An unlabeled pVPA is a pVPA where 
the labeling function \ and alphabet X are omitted. 


Definition 8 (Product Ax D). Let A = (Q, qo, T, L, P, X, A) be a pVPA, 
and D = (S, so, I’, L, 6, X) be a DVPA over pushdown alphabet X. The product 
of A and D is the unlabeled pVPA 


AxD= (QxS, (qo, so), PT, (LaL); Paxp) , 


where Paxp is the smallest set of transitions satisfying the following rules for 
allq,r€Q, ZET,s8,t€S, andY €T: 


à d à 
qarz A s 1, tY q Sar A Peale qZ Sar A gee 


(q, 5) B AxD (r, t)(Z, Y) (q, 5) B AxD (r, t) (q, 8)(Z, Y) B AxD (r, t) 
(call) (internal) (return) 


If the DVPA D is equipped with a priority function Q: S + No, then we extend 
2 to YN: Q x S —> No via R'(q, 8) = Qs). 


It is not difficult to show that A x D is indeed a well-defined pVPA and moreover 
satisfies the following property (the proof is standard, see [28]): 


Lemma 1 (Soundness of A x D). Let A be a pVPA and D be a stair- 
parity DVPA with priority function 2, both over pushdown alphabet X. Then 
the product pVPA A x D with priority function Q’ as in Definition 8 satisfies 


P({p € Runsa | A(p) € L(D)}) = PH p E Runsaxp | plsteps € Parityo }), 


where Parity o, denotes the set of words in (Qx S)” satisfying the standard parity 
condition defined by Q’. Moreover, Ax D can be constructed in polynomial time. 


Remark 3. It is not actually important that the product satisfies the visibility 
condition. All techniques we apply to the product also work for general pPDA. 


4.2 Stair-parity Acceptance Probabilities in pVPA 


Lemma 1 effectively reduces model checking pVPA against stair-parity DVPA to 
computing stair-parity acceptance in the product, which is again an (unlabeled) 
pVPA. We therefore focus on pVPA in this section and do not consider DVPA. 

Throughout the rest of this section, let A = ( Q, qo, T, L, P ) be an unlabeled 
pVPA. On the next pages we describe the construction of a finite Markov chain 
M a that we call the step chain of A. Loosely speaking, M a simulates jumping 
from one step (see Definition 3) of a run of A to the next. A similar idea first 
appeared in [14]. Our construction, however, differs from the original one in 
various aspects. We discuss this in detail in Remark 5 further below. 
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Steps as events. For all n € No, we define a random variable V on Runs, 
whose value is either the state q of A at the n-th step, or the extended state qL 
in the special case where the n-th step occurs at a bottom configuration of the 
form qL, for some q E€ Q. We denote the set of all such extended states with 
Ql = {qL | q€ Q}. Formally, V™: Runs, > QU QL is defined as 


ql if step, (p)=q1, 


where step,(o) denotes the configuration at the n-th step of p. Note that 
V) = qol because the first position of a run is always a step. 


Lemma 2. For alln € No andv E€ QUQL, the event V™ = v is measurable, 
and thus V™ is a well-defined random variable. 


We can view the sequence VV)... of random variables as a stochastic 
process. It is intuitively clear that for all n € No, the value of V‘"+)) depends 
only on V”), but not on V™ for i < n. This is due to the more general observa- 
tion that the state q at any step configuration qy (with y 4 L) fully determines 
the future of the run because being a step already implies that no symbol in y 
can ever be read as reading it implies popping it from the stack. In particular, q 
determines the probability distribution over possible next steps. A similar obser- 
vation applies to bottom configurations of the form qL. Phrased in probability 
theoretical terms, the process V),V ... has the Markov property, i.e., 


BVM =u, | VEY =u A... A VOS) = PVM =u, | VP =v) (1) 


holds for all values of vp,..., Un such that the above conditional probabilities are 
well-defined t. This was proved in detail in [14]. It is also clear that the Markov 
process is time-homogeneous in the sense that 


PVD =y|VMav) = PUD ay] VO =’ 


holds for all n,n’ € No for which the two conditional probabilities are well- 
defined. The following example provides some intuition on these facts. 


Example 3. Consider the pVPA in Figure 7 (left). The initial fragments of its 
two equiprobable runs are depicted in the middle. In this example, it is easy 
to read off the next-step probabilities POV = vp, | V@-) = vp—1) for all 
n € No and vn, Vn—-1 E Q U QL. They are summarized in the Markov chain on 
the right. For example, V©) = qo_L holds with probability 1, and V® = qı and 
V = q3 hold with probability 1/2 each because the second step occurs either 
at position 1 with configuration q;1Z or at position 3 with configuration q3, 


1 A conditional probability is well-defined if the condition, i.e., the event on the right 
hand side of the vertical bar, has positive probability. Expressions like the one in 
(1) are thus not necessarily well-defined because the probability that y”) = Un—-1 
might be zero for certain values of n and v,_1. 
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Fig. 7. Left: An example (unlabeled) pVPA A. Call, internal, and return states are 
depicted as squares, circles, and rhombs, respectively. The format of the transition 
labels is analogous to Figure 5 (left). Middle: Initial fragments of the two possible runs 
of A. Steps are underlined. Right: Its step Markov chain Ma (Definition 10, page 15). 


CTT ql-r ql art q>rL 
q E Qean S ( X Parla, r'Z)ir' Z4r]+ J Panla, rZ)) So Palar) So Pean(q.r'Z)[r'Zlr] 0 
rz zZ Z rZ 
q E Qint pet, r) 0 Pri (q,7) 0 
q E Qret n/a 0 Pret (ql,r) n/a 


Fig. 8. Next-step probabilities of the step Markov chain. Pype for type € { call, int, ret } 
are the probabilities of the pVPA’s call, internal, and return transitions, respectively. 
The values [r’Z|r] and [qf] are the return and diverge probabilities from Definition 9. 


and both options are equally likely. The case P(V® = q | V = qı) = 1 is 
slightly more interesting: Given that a configuration qıy with y Æ L is a step, 
we know that the next state must be q2 (which is then also a step). Even though 
there is a transition from qı to q3 in A, the next state cannot be q3 because the 
latter is a return state which would immediately decrease the stack height of y. 
This shows that, intuitively speaking, conditioning on being a step influences the 
probabilities of a state’s outgoing transitions. 


Probabilities of next steps, returns, and diverges. Our next goal is to 
provide expressions for the next-step probabilities P(V("+) = uv! | V™® = v) as 
we did in Example 3. It turns out that those can be stated in terms of the return 
and diverge probabilities of A. 


Definition 9. Let p,q €Q, ZETI, andy €I™*. We define 


— the return probability [pZ{q| as the probability to reach configuration qy from 
pyZ without visiting another configuration of the form ry for some r € Q in 
between; and 

— the diverge probability [pt] as the probability to never decrease the stack 
height below |yZ| when starting in pyZ, i.e., [pt] = 1- X co PZ4a]. 
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Note that [pt] is indeed independent of Z because the only way to read Z is by 
popping it from the stack which decreases the stack height. The diverge proba- 
bilities are closely related to steps. Indeed, the probability that a configuration 
py with y 4 L is a step is equal to [pt]. For example, in the pVPA in Figure 7 
the configuration g;Z is a step with probability [qt] = 1/2. 

It is known that the return and diverge probabilities are in general non- 
rational. As a minimal example, consider a pVPA that repeats the following 
steps until emptying its stack or getting stuck: (i) It pushes four symbols with 
probability 1/6, or (ii) pops one symbol with probability 1/2, or (iii) gets stuck 
otherwise. The resulting return probability is the least solution of x = (1/6)x° + 
1/2, anon-rational number that is not even solvable by radicals [16, Thm. 3.2(1)]. 


Remark 4. The terms return and diverge are natural. When modeling procedural 
probabilistic programs as pVPA, [pZ|q] is just the probability to eventually 
return from local state p of the current procedure to local state q of the calling 
procedure (the return address is stored on the stack in Z). Similarly, [pt] is 
the probability that the current procedure diverges, i.e., it never returns to the 
calling context. Clearly, this is independent of the return address. 


Lemma 3. The conditional next-step probabilities in Figure 8 are correct in the 
sense that if P(V"t) =v! | V™ = v) is defined for n € No and v, v! E QUQL 


then it is equal to the probability in the respective column “v > v' ”. 
Proof sketch. We only provide some intuition for two important cases; formal 
derivations are in [28]. Let r € Q be arbitrary. 


— If q € Qim then P(V®OHÐ = r | V™® = q) = Pat(q,r)[rt]/[qt]: Suppose that 
the n-th step takes place at position i of the run. Since the n-th step occurs 
at an internal state q, the n+1-st step must necessarily occur immediately 
at position i+1. The factor P(q,r)[rt] is proportional to the probability 
to take an (internal) transition from q to r and then diverge in r, which is 
necessary in order for the next configuration to be a step. However, the values 
{ P(q,r)[rt] | r € Q} do not form a probability distribution in general. This 
justifies the division by the normalizing constant [gt] = Dee P(q,r)[rt]. 

— If q € Qaan then P(VCOTÐ = rL | V™ = qL) =. z Pea(g,7'Z)[r’ Zr]: If 
the n-th step occurs at bottom configuration qL, then the n+1-st step can 
only occur at bottom configuration r if the symbols pushed by q’s outgoing 
transitions are eventually popped. The expression in the sum equals the 
probability to take a push-transition from q to r’ that pushes Z onto the 
stack multiplied by the probability to return from r’ (with Z on top) to r. 


The step chain. It is convenient to view the stochastic process V©,V... 
as an explicit (graphical) Markov chain. 


Definition 10 (The Step Chain M4). Ma is the Markov chain with states 


M = {q € Qeat U Qint | lat] > 0} UQL, 
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Fig. 9. Left: Example pVPA with the following return-diverge probabilities: [cZ}c] = 
1/6, [cZr] = 1/12, [rZ{r] = 1/3, [rZ4c] = 2/s, and [et] = 3/4, [rt] = 1/2, [rt] = 0. 
Even though it is the case here, these probabilities are not always rational [16]. Right: 
Its step Markov chain according to Definition 10. The transition probabilities can be 
computed using the return and diverge probabilities and Figure 8. 


initial state qo L, and for all v,v' € M, the probability of transition v > v’ is 
defined according to Figure 8. 


Figure 9 depicts a non-trivial pVPA and its step chain. In this example, all re- 
turn and diverge probabilities are rational. In general, however, the return and di- 
verge probabilities (Definition 9) are algebraic numbers that are not always ratio- 
nal or even expressible by radicals [16]. As a consequence, one cannot easily per- 
form numerical computations on the step chain. However, the probabilities can 
be encoded implicitly as the unique solution of an existential theory of the reals 
(ETR) formula, i.e. an existentially quantified FO-formula over (R,+,-,<) [14]. 
Since the ETR is decidable, many questions about the step chain are still decid- 
able as well. We will make use of this in Theorem 3 below. 

The property of Ma that is most relevant to us is given by the following 
Lemma 4. We call P4} steps = VO (p)V(p)... the extended footprint of run p. 


Lemma 4 (Soundness of Ma). Let A be a pVPA with step chain Ma. Let 
M be the states of the step chain and consider a measurable set RC M”. Then 


P({p E€ Runsa | P} steps € R}) = P(R) £ 


Proof sketch. For basic cylinder sets of the form R = w- M*® for some w € M*, 
the claim follows from the Markov property (1) together with the correctness of 
the transition probabilities of M 4 according to Lemma 3. For other measurable 
sets, it can be shown by induction over the levels of the Borel hierarchy [28]. 


Remark 5. The step chain as presented here differs from the original definition 
in [14] in at least two important aspects. First, we have to take the semantics 
of our special bottom symbol L into account. This is why our chain uses a 
subset of Q U QL as states—it must distinguish whether a step occurs at a 
bottom configuration. The pPDA in [14], on the other hand, may have both 
finite and infinite runs, and this needs to be handled differently in the step chain. 
Second, we use step chains for a different purpose than [14], namely to show that 
general measurable properties defined on steps—this includes stair-parity—can 
be evaluated on pVPA (Lemma 4). 
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2/3, (Z, Z) 


Fig. 10. Left: The product of the pVPA from Figure 9 (left) and the DVPA from 
Figure 5 (left) on page 7. Right: Its step chain according to Definition 10. The dashed 
region is the only BSCC. It violates the parity condition Q(so) = 1 and 2(s1) = 2 
inherited from the DVPA (see Example 2 on page 8) since every run reaching the BSCC 
visits cso infinitely often with probability 1. Only reachable states are depicted. 


Putting it all together. We can now prove the main result of this section. 


Theorem 3. Let A be a pVPA and let D be a stair-parity DVPA, both over the 
same pushdown alphabet X. Then for all 0 € [0,1] ON Q, the problem 
P({p € Runsa | A(p) € L(D)}) >? 8 is decidable in PSPACE. 


Proof sketch. We first construct the product A x D according to Definition 8. 
By Lemma 1 we need to compute the stair-parity acceptance probability of 
AxD. Lemma 4 reduces this to computing a usual parity acceptance probability 
in the step chain Ma xp. This can be achieved through finding the bottom 
strongly connected components (BSCC) of Ma y>p, classifying them as good 
(the minimum priority of a BSCC state is even) or otherwise bad, and running a 
standard reachability analysis wrt. the good states. See Figure 10 for an example. 
The remaining technical difficulty is that the transition probabilities of M Axp 
are not rational in general. However, this can be dealt with using the fact that 
these probabilities are expressible in the ETR [14] (see [28] for the details). 


4.3 Probabilistic One-counter Automata 


A probabilistic visibly one-counter automaton (pVOC) is the special case of 
a pVPA with unary stack alphabet, i.e., || = 1. For example, the pVPA 
in Figure 9 (left) is a pVOC. For many problems, better complexity bounds are 
known for pVOC than for the general case. In particular, [pt] > 0 can be decided 
in P [9, Thm. 4]. We can exploit this to improve Theorem 3 in the pVOC case: 


Corollary 1. Let A be a pVOC and D be a stair-parity DVPA over pushdown 
alphabet X. The problem P({p € Runsa | A(p) € L(D)}) =? 1 is decidable in P. 
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Corollary 1 implies that there exist efficient algorithms for many properties 
of pVOC-expressible random walks on No. In fact, a.-s. satisfaction of each fixed 
visibly-pushdown property can be decided in P. For instance, using the DVPA 
from Figure 5 we can decide if a random walk is a.-s. repeatedly bounded. 


5 Model Checking against Büchi VPA and CaRet 


With Theorems 1 and 3 it follows immediately that quantitative model checking 
of pVPA against non-deterministic Büchi VPA is decidable in EXPSPACE. We 
can improve the complexity in the qualitative case: 


Theorem 4. Let A be a pVPA and A be a (non-deterministic) Btichi VPA over 
the same pushdown alphabet. The problem P({p E€ Runsa | A(p) E L(A)}) =? 1 
is EXPTIME-complete. 


In the above result, membership in EXPTIME relies on the fact that one can 
construct the underlying graph of a step chain M axp in time exponential in the 
size of A but polynomial in the size of D; see [28]. EXPTIME-hardness follows 
from [15, Thm. 8]. In fact, qualitative model checking of pPDA against non- 
pushdown Büchi automata is also EXPTIME-complete [15]. With Theorems 1 
to 4 we immediately obtain the following complexity results for CaRet model 
checking: 


Theorem 5. The quantitative and qualitative probabilistic CaRet model check- 
ing problems (Def. 7) are decidable in 2EXPSPACE and 2EXPTIME, respectively. 


Both problems are known to be EXPTIME-hard [30]. 


6 Conclusion 


We have presented the first decidability result for model checking pPDA—an op- 
erational model of procedural discrete probabilistic programs—against CaRet, 
or more generally, against the class of w-VPL. We heavily rely on the deter- 
minization procedure from [22] and the notion of a step chain used in previous 
works. These two constructions turn our to be natural match. 

We conjecture that our complexity bounds are not the best possible which is 
often the case in purely automata-based model checking. Future work is thus to 
investigate whether the doubly-exponential complexity can be lowered to singly- 
exponential, e.g. by generalizing the automata-less algorithm from [30]. Other 
topics are to explore to what extent algorithms for probabilistic CTL can be 
generalized to the branching-time variant of CaReT [18], to consider more ex- 
pressive logics such as visibly LTL [8] or OPTL [12], and to study the interplay 
of conditioning and recursion [27] through the lens of pPDA. 
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